Donate
‹ Back
Deploy360 19 October 2012

Walking Through Setting Up A TLSA Record for DNSSEC/DANE

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

In a post titled “DNSSEC and Certificates” today, Shumon Huque provides a nice walk-through of the steps needed to get set up with a TLSA record in DNS to tie a SSL/TLS certificate into the global chain-of-trust created by DNSSEC. First, though, he explains very succinctly why we should care about security issues related to current certificate authorities (CAs) and how the new DANE protocol helps address this.

He then steps through what he had to do with openssl to create the appropriate TLSA record for his existing SSL certificate (and points out the availability of Paul Wouters hash-slinger tool to make this even easier).

It’s good to see posts like this explaining the process and we’ll be looking to add tutorials like this to our site as we continue to expand our DANE coverage in the weeks and months ahead.

By the way, Shumon will be one of the speakers at our ION San Diego conference on December 11th.  If you want to learn about DNSSEC and IPv6 topics and can get to San Diego, we’d definitely suggest you consider attending!

P.S. We’ve added Shumon’s site to the list of DANE test sites that developers can use to test out new DANE applications.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Want To Quickly Create A TLSA Record For DANE / DNSSEC?
Deploy3606 December 2013

Want To Quickly Create A TLSA Record For DANE / DNSSEC?

Would you like to use the DANE protocol to secure your SSL/TLS certificate via DNSSEC?  If so, the first step...

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE
Deploy36030 November 2012

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic...

Testing DANE For Sending Secure Email at the Go6lab
Deploy36028 May 2015

Testing DANE For Sending Secure Email at the Go6lab

After successful DNSSEC signing of go6.si, go6lab.si, zorz.si and other domains in Go6lab we decided that it was time to...

Join the conversation with Internet Society members around the world