Maintained by: NLnet Labs

[Unbound-users] suggestion for ldan-dane

Willem Toorop
Wed Oct 1 13:03:36 CEST 2014


I've chosen 3 0 1 because it is more specific then 3 1 1.  More material
is processed to asses the validity.  Though, I have to admit I use 3 1 1
myself as well because I'm lazy and don't want to roll over TLSA records
every time the certificate needs to update.

Is "3 1 1" mentioned somewhere in a BCP document somewhere?  If so, I'm
happy to alter the defaults right away.

Actually, I'm happy to change the defaults anyway unless someone is
against it...

We have a ldns-users list too (CC'ed).  I suggest we continue this topic
there (if needed).

-- Willem

Op 30-09-14 om 14:47 schreef A. Schulze:
> Hello,
> 
> maybe it's a little bit off topic but I think its interesting anyway.
> ldns-dane as part of http://nlnetlabs.nl/projects/ldns/
> allow users to create TLSA records. By default the tool create 3-0-1
> records
> 
> $ ldns-dane -c mail.example.org.pem create mail.example.org 25
> _25._tcp.mail.example.org. 3600 IN TLSA 3 0 1 cafe...
> 
> Today I learned from Viktor Dukhovni it's strongly recommended to use
> TLSA Records
> type 3-1-1 ( Selector = SubjectPublicKeyInfo )
> 
> To generate recommended records I have to specify additional arguments:
> $ ldns-dane -c mail.example.org.pem create mail.example.org 25 3 1 1
> _25._tcp.mail.example.org. 3600 IN TLSA 3 1 1 beef...
> 
> Would it be possible to modify ldns-dane to simply create
> the record in a recommended way?
> 
> Thanks,
> Andreas
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users