On Tue, May 22, 2018 at 12:30:23PM -0400, Viktor Dukhovni via Exim-users wrote:
> One small correction to the text below:
>
> https://tools.ietf.org/html/rfc7671#section-5.2.2
Perhaps another tweak would be useful, in the below:
At the time of writing, https://www.huque.com/bin/gen_tlsa is
useful for quickly generating TLSA records; and commands like
$ openssl x509 -in -pubkey -noout <certificate.pem \
openssl rsa -outform der -pubin 2>/dev/null \
openssl sha512 \
awk '{print $2}'
it should be emphasized that this generates hashes for "3 1 2" TLSA
records. I don't think that "3 1 2" is warranted at present and
DNS packet sizes should be kept as small as possible to avoid issues
with dropped UDP fragments. So I would instead recommend "3 1 1",
i.e. a "sha256" rather than "sha512" hash. The command would be
(no longer RSA-specific, at the cost of requiring OpenSSL 1.0.0
or later):
$ fqdn=$(uname -n) # or some manually entered name
$ hash="$(
openssl x509 -in -pubkey -noout -in certificate.pem |
openssl pkey -pubin -outform der |
openssl dgst -sha256 -binary |
hexdump -ve '/1 "%02x"'
)"
$ empty=$(
openssl dgst -sha256 -binary </dev/null |
hexdump -ve '/1 "%02x"'
)"
$ if [ "$hash" != "$empty" ]; then
printf "_25._tcp.%s. IN TLSA 3 1 1 %s\n" "$fqdn" "$hash"
fi
This also checks that the hash is not the hash of an empty input,
due to failure of "openssl x509" and/or "openssl pkey".
--
Viktor.
