Deploy360 6 December 2013

Want To Quickly Create A TLSA Record For DANE / DNSSEC?

By Dan YorkDirector, Internet Technology

Generate-TLSA-Record-3Would you like to use the DANE protocol to secure your SSL/TLS certificate via DNSSEC?  If so, the first step is to generate and publish a “TLSA record” in DNS – and that record generation can be a stumbling block for some people.  While there are command-line tools such as just the basic “openssl” or Paul Wouter’s “hash-slinger“, Shumon Huque recently released a web interface that lets you easily create a TLSA record.  As Shumon writes about on his blog, the tool is at:

https://www.huque.com/bin/gen_tlsa

All you need to do is to set the type of TLSA record you want to create, paste in the X.509 certificate, and enter the appropriate port number, protocol and domain name.  Shumon’s script then generates the appropriate TLSA record that you can paste into your DNS zone file.

Last year, Shumon wrote a post on “DNSSEC and Certificates” where he walked through how to do this using openssl on the command line – this latest post now builds on that to make it even easier.

It’s excellent that Shumon has made this tool available and we look forward to seeing many more TLSA records out there!  (If you have a SSL/TLS cert for your website, how about adding a TLSA record today?)

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...