Enhancement #273

DNS-secured CERTs using TLSA

Added by Marc Dequènes over 7 years ago. Updated about 4 years ago.

Service :: IS / AAA / PKI
Start date:
Due date:
% Done:


Estimated time:
Patch Available:
Help Needed:


Current CA model is flawed, and we cannot trust any CA if they are not maintained by people we know. It is a major problem to be able to work we third party websites.

The DANE projet aims at using DNSSEC to securely propagate secure data association, like vhost <-> CERT, so we should follow the progress of its specification and test emerging implementations. When it is ready enough, we should then ask software implementors to use this new technology. Drafts can be found here:

Related issues

Related to DuckCorp Infrastructure - Enhancement #274: Experiment a Diaspora nodeRejected2012-01-14




Updated by Marc Dequènes over 7 years ago

  • Status changed from New to In Progress
  • Assignee set to Marc Dequènes

There is already a Firefox addon for TLSA:

I still don't know if there are tools to generate the DNS entries easily.


Updated by Marc Dequènes over 7 years ago

  • Category changed from Service :: Web to Service :: IS / AAA / PKI

Updated by Marc Dequènes over 7 years ago

  • % Done changed from 0 to 10

This we i configured www.hq.dc.o to do some tests, and the settings were quite easy. Note that the TXT field is already deprecated according to the VCS commits.

The plugin is not meant to be installed on FF10 but can be forced and seems to work. Nevertheless i was not able to get him validate anything, as it consider the DNSSEC chain to be broken, and activating debug in about:config did not output anything on the webconsoles or on STDOUT.


Updated by Marc Dequènes over 7 years ago

I'm probably hitting the AA versus AD flag, which should be solved when #292 is done.


Updated by Marc Dequènes almost 7 years ago

The TLSA field is now supported since Bind 9.8.3-P3 (


Updated by Marc Dequènes about 4 years ago

The FF plugin is now here:
Version works and the AA/AD problem seems gone.

Now we need to feed the TLSA entries into the DNS. I need to find a way to automate it around mkcert. Ansible maybe?


Updated by Marc Dequènes about 4 years ago

  • % Done changed from 10 to 70

Modified mkcert to generate the SubjectPublicKeyInfo hashes for a server (for the CN is applicable and all DNS entries in subjectAltName), then for all servers of a CA.
The services needed to be specified in the server configuration file, using the service name (NSS) or port/proto. Sometimes it is also needed to restrict certain services to specific hostnames, so the scope can be narrowed in the syntax.

  • The mapping of the resulting bunch of TLSA records needs to be mapped to domain names, taking care of which domain is currently DNSSEC enabled.
  • Entries also need to be properly dispatched in the right parent/child domain (in case of subdomains).
  • The filtered result need to be pushed to the MX1 of the domain.
  • opendnssec needs to be triggered

As these last steps are not very easy, and to test the results, i created the adm_publish_tlsa script doing what's needed for the only domains able to take advantage of it.


Updated by Marc Dequènes about 4 years ago

  • Blocked by deleted (Enhancement #292: DNSSEC authoritative nameservers and validating resolvers should be separated)

Updated by Marc Dequènes about 4 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 70 to 100

I recreated the previous script in Ruby to handle all the listed steps and it works well, giving the same exact output as before.

In order to have the necessary knowledge to do the job, I created /etc/mp-admin/topology with necessary information.

Also available in: Atom PDF