Deploy360 19 October 2012

Walking Through Setting Up A TLSA Record for DNSSEC/DANE

By Dan YorkDirector, Internet Technology

In a post titled “DNSSEC and Certificates” today, Shumon Huque provides a nice walk-through of the steps needed to get set up with a TLSA record in DNS to tie a SSL/TLS certificate into the global chain-of-trust created by DNSSEC. First, though, he explains very succinctly why we should care about security issues related to current certificate authorities (CAs) and how the new DANE protocol helps address this.

He then steps through what he had to do with openssl to create the appropriate TLSA record for his existing SSL certificate (and points out the availability of Paul Wouters hash-slinger tool to make this even easier).

It’s good to see posts like this explaining the process and we’ll be looking to add tutorials like this to our site as we continue to expand our DANE coverage in the weeks and months ahead.

By the way, Shumon will be one of the speakers at our ION San Diego conference on December 11th.  If you want to learn about DNSSEC and IPv6 topics and can get to San Diego, we’d definitely suggest you consider attending!

P.S. We’ve added Shumon’s site to the list of DANE test sites that developers can use to test out new DANE applications.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...