Donate
‹ Back
Deploy360 30 November 2012

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

Dan York
By Dan YorkDirector, Web Strategy & Project Lead, Open Standards Everywhere

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?

As we outlined before, there are a number of different tools you can use.  One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record!  Paul showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

That’s it!  Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!

Well, okay, it might not be that simple.  If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.

The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.

If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Want To Quickly Create A TLSA Record For DANE / DNSSEC?
Deploy3606 December 2013

Want To Quickly Create A TLSA Record For DANE / DNSSEC?

Would you like to use the DANE protocol to secure your SSL/TLS certificate via DNSSEC?  If so, the first step...

Walking Through Setting Up A TLSA Record for DNSSEC/DANE
Deploy36019 October 2012

Walking Through Setting Up A TLSA Record for DNSSEC/DANE

In a post titled "DNSSEC and Certificates" today, Shumon Huque provides a nice walk-through of the steps needed to get...

Testing DANE For Sending Secure Email at the Go6lab
Deploy36028 May 2015

Testing DANE For Sending Secure Email at the Go6lab

After successful DNSSEC signing of go6.si, go6lab.si, zorz.si and other domains in Go6lab we decided that it was time to...

Join the conversation with Internet Society members around the world