What is the relationship between letsencrypt and DANE TLSA?
None in particular, and at least nothing different from any other CA and DANE.
Why do you think there would be a specific relationship?
Can or should letsencrypt be used together with DANE TLSA?
You can, but should you, that is a lot of another matter, and you are giving no details on your situation to know what would be best. Note that
TLSA records are mostly used by email systems currently, not very much by browsers.
However, by default,
certbot uses a new public key at each certificate renewal. This is good hygiene for cryptographic material, however if you use the certificate in some
TLSA records it means you will need to change those records, and carefully, considering various caches. The alternative is to instruct
certbot or equivalent, to renew the certificate but use the same public key. It won’t be wise however to never change the key.
After that, again, your question is the same for any CA, why do you specifically pick Let’s Encrypt?
Is DANE TLSA a full replacement for letsencrypt (and any certificate authority (CA) based)?
No, or not fully. Did you read at least some introductory material on DANE?
There are multiple usages:
PKIX-TA: you publish the CA certificate for a given service and connection can proceed only if the certificate presented by server is from this given CA.
PKIX-EE: you publish the certificate that the client is expected to see from the server, but usual PKIX validation must occur (the certificate needs to have a valid trust path until a root certificate)
DANE-TA: the certificate that will be used is chained to the one published here, and no PKIX validation is necessary (that means basically anyone can be its own CA)
DANE-EE: the certificate is self signed and published in the DNS, it should be the one seeing when connecting.
On top of the above, you can publish either the certificate or the public key, and when you do the certificate it can be the certificate itself or a fingerprint.
This is all detailed in the Wikipedia entry on DANE, you should have a look at it.
When letsencrypt is used together with DANE TLSA, can or should two different SSL certificates be used?
First, do not say “SSL certificates”, as this is doubly wrong:
- SSL died 20 years ago because in 1999 TLS was invented and it is its successor. No sane people would today still run SSL versions…
- You can use TLS without certificates (TLS works as well with a shared key), and you can use those certificates outside TLS (ex: S/MIME)
So you are dealing with “X.509 certificates” if you want to be precise, but otherwise certificate is enough in this context everyone understand which kind of certificates you are talking about.
Now, why 2 certificates? With Let’s Encrypt you can generate as many you want if you like (until you reach their rate limits), and you can have multiple
Hence you can have 2 certificates if you want. Or 1. Or 3. Or 10.
“It depends”. Your questions at this stage are far too vague/generic. Where do they come from to have this shape?
PS1: you should also look at
CAA records if you are serious about handling your certificates. All known public CAs have to use them, and hence you can restrict which CA can deliver certificates for the domains you maintain.
PS2: and of course if you are really serious, if you use
CAA records, you need to use DNSSEC.