Always current TLSA records for Let's Encrypt & Buypass Go

About TLSA.is

TLSA.is provides a managed alternative to generating and publishing own TLSA records, which are required for DANE. TLSA.is creates, publishes and keeps current DANE-TA TLSA resource records for a number of supported Certificate Authorities (Let's Encrypt and Buypass).

Generation of the TLSA records has been integrated into the project owner's own DNS management tool navn and takes place at least weekly, just before the periodic refresh of DNSSEC signatures. The TLSA generation setup is documented below.

WTF?

The TLSA DNS resource record (RR), specified in RFC 6698, is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a "TLSA certificate association".

Supported Certificate Authorities

Let's Encrypt

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG).

TLSA.is publishes TLSA records for the intermediate certificates published by Let's Encrypt.

In order to use the TLSA resource record, a CNAME or a DNAME record pointing to _letsencrypt.tlsa.is should be published as needed, e.g.:

; Using CNAME for a single service
_25._tcp.mail		IN	CNAME	_letsencrypt.tlsa.is.

; Using DNAME for all services
_tcp.mail6		IN	DNAME	_letsencrypt.tlsa.is.

Buypass

The Norwegian Certificate Authority Buypass provides Buypass Go as an alternative to Let's Encrypt.

TLSA.is publishes TLSA record for the issuing certificate published by Buypass.

In order to use the TLSA resource record, a CNAME or a DNAME record pointing to _buypass-go.tlsa.is should be published as needed, e.g.:

; Using CNAME for a single service
_25._tcp.mail		IN	CNAME	_buypass-go.tlsa.is.

; Using DNAME for all services
_tcp.mail6		IN	DNAME	_buypass-go.tlsa.is.

DIY

Summary

The generation of the TLSA records is done by a Python script (Python 3.8 is required due to use of the walrus operator) which simply prints the resource records to stdout and which are then included in a zone file (e.g. by using the $INCLUDE statement).

Configuration

The script uses a configuration file, which specifies the name for the resource records, source for the certificates etc.

Required modules

The following Python modules are required:

Big Red Warning

TLSA.is solves the project owner's personal requirement. It may, however, stop working at any time – use at own risk.

Contact

Please get in touch if you have discovered an error, if some TLSA records for the supported authorities should be added, deleted or updated, or if you have any other comments or suggestions.


– Created and operated by Kirill Miazine