TLSA records for Let's Encrypt & Buypass Go
TLSA.is provides a managed alternative to
generating and publishing own TLSA records,
which are required for DANE. TLSA.is creates, publishes and keeps current
DANE-TA TLSA resource records for a number of supported
Certificate Authorities
(Let's Encrypt and Buypass).
Generation of the TLSA records has been integrated into the project owner's own DNS management tool navn and takes place at least weekly, just before the periodic refresh of DNSSEC signatures. The TLSA generation setup is documented below.
The TLSA DNS resource record (RR), specified in RFC 6698, is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a "TLSA certificate association".
Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG).
TLSA.is publishes TLSA records for the intermediate certificates published by Let's Encrypt.
In order to use the TLSA resource record, a CNAME or a DNAME record pointing to
_letsencrypt.tlsa.is should be published as needed, e.g.:
; Using CNAME for a single service _25._tcp.mail IN CNAME _letsencrypt.tlsa.is. ; Using DNAME for all services _tcp.mail6 IN DNAME _letsencrypt.tlsa.is.
The Norwegian Certificate Authority Buypass provides Buypass Go as an alternative to Let's Encrypt.
TLSA.is publishes TLSA record for the issuing certificate published by Buypass.
In order to use the TLSA resource record, a CNAME or a DNAME record pointing to
_buypass-go.tlsa.is should be published as needed, e.g.:
; Using CNAME for a single service _25._tcp.mail IN CNAME _buypass-go.tlsa.is. ; Using DNAME for all services _tcp.mail6 IN DNAME _buypass-go.tlsa.is.
The generation of the TLSA records is done by a Python
script (Python 3.8 is required due to use of the
walrus operator)
which simply prints the resource records to stdout
and which are then included in a zone file (e.g. by using the $INCLUDE statement).
The script uses a configuration file, which specifies the name for the resource records, source for the certificates etc.
The following Python modules are required:
TLSA.is solves the project owner's personal requirement. It may, however, stop working at any time – use at own risk.
Please get in touch if you have discovered an error, if some TLSA records for the supported authorities should be added, deleted or updated, or if you have any other comments or suggestions.