TLSA Validation Failed

Abdelmeniem Tharwat atharwat at
Tue Jul 14 10:37:10 CEST 2015

Dear Viktor Dukhovni ,
	You are right , but kindly advice how can I get the TLSA record ? I used 
openssl x509 -in xn----ymcadjpj1at5o.xn--wgbh1c.registry.crt -outform DER | openssl sha256
(stdin)= 1a70df05ac43318ab35a16542a8736d077ace3126fafe00508edd7484f293c6c

And got what I did add to zone file.

-----Original Message-----
From: dane-users-bounces at [mailto:dane-users-bounces at] On Behalf Of Viktor Dukhovni
Sent: Tuesday, July 14, 2015 6:58 AM
To: dane-users at
Subject: Re: TLSA Validation Failed

On Mon, Jul 13, 2015 at 09:04:34PM +0000, Abdelmeniem Tharwat wrote:

> And when I try to execute dig @ 
> _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA, I got the TLSA record that is identical to the hash from crt file.

Both are wrong.

> The TLSA validator said that :-
> [cid:image008.jpg at 01D0BDC0.1A30F150]
> any advice !!!

The correct "3 0 1" TLSA for your server is:

    _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A

What you've published is:

    _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C

No idea what that is the digest of, but it is not the digest of the DER form of the server certificate.


More information about the dane-users mailing list