Donate
‹ Back
Domain Name System Security Extensions (DNSSEC) 30 November 2012

Hash-slinger – a tool for creating TLSA records for the DANE protocol

Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for  the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.

The package is available for Linux at:

http://people.redhat.com/pwouters/hash-slinger/

One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:

$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.

If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:

$ tlsa --create -o generic ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TYPE52 # 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

The “tlsa” command also has other options for generating other types of TLSA records.

 

 

‹ Back
Join the conversation with Internet Society members around the world