Letsencrypt & TLSA - automation

Damien Goutte-Gattat dgouttegattat at incenp.org
Sun Feb 19 20:02:28 CET 2017

On 02/19/2017 07:20 PM, John Allen wrote:
> Any suggestions as to how to get the output into my DNS (Bind9)
> preferably without using nsupdate.

For what it's worth, my method to insert TLSA records into my zone files 
is to use some M4 macros.

The idea is to "fetch" the digests from the zone file when signing it, 
instead of "pushing" the digests to the zone file when renewing the 

So, my zone file contains something like that:

   `m4_esyscmd(openssl x509 -in $1 -pubkey -noout | \
    openssl rsa -pubin -outform DER | \
    openssl dgst -sha256 -binary | \
    openssl enc -base64)')

_443._tcp.example.com.     IN TLSA 3 1 1 SPKI_DGST(/path/to/web/cert)
_25._tcp.mail.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/mail/cert)

(Actually the macro definition is in a separate file which is included 
in the zone file. But you get the idea.)

The file is then processed by `m4 -P` and the resulting zone file is 
signed by dnssec-signzone.

(The manual for GNU M4 contains a warning that M4 can be "fairly 
addictive" and that its users tend to use it everywhere; I'm afraid 
that's true.)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20170219/3530925b/attachment.asc>

More information about the dane-users mailing list