On Fri, Oct 10, 2014 at 11:43:06PM +0200, Mark Elkins wrote:
> I control both server and DNS. I went with:
>
> _25._tcp.mje99.posix.co.za. IN TLSA 3 0 1 {hexxy stuff}
Note however, that with the "za" TLD unsigned, most sites will not
be able to validate your zone keys/signature. At least my DNS
resolver is not using any DLV look-aside servers. So in effect
your domain looks like an unsigned non-DANE domain.
> I'm unsure of the middle digit...
> 0 = Full certificate
> 1 = SubjectPublicKeyInfo
> ... doesn't mean very much to me.
The digest can either cover the entire certificate, or just the
enclosed public key. I recommend the latter. Starting with
a certificate file, you can obtain the hex bits via:
$ openssl x509 -in cert.pem -noout -pubkey |
openssl pkey -pubin -outform DER |
openssl dgst -sha256 |
awk '{printf "IN TLSA 3 1 1 %s\n", $NF}'
This is of course somewhat moot with "za" unsigned.
http://stats.research.icann.org/dns/tld_report/
--
Viktor.
