Letsencrypt & TLSA - automation
Damien Goutte-Gattat
dgouttegattat at incenp.org
Sun Feb 19 20:02:28 CET 2017
On 02/19/2017 07:20 PM, John Allen wrote:
> Any suggestions as to how to get the output into my DNS (Bind9)
> preferably without using nsupdate.
For what it's worth, my method to insert TLSA records into my zone files
is to use some M4 macros.
The idea is to "fetch" the digests from the zone file when signing it,
instead of "pushing" the digests to the zone file when renewing the
certificates.
So, my zone file contains something like that:
---8<---
m4_define(SPKI_DGST,
`m4_esyscmd(openssl x509 -in $1 -pubkey -noout | \
openssl rsa -pubin -outform DER | \
openssl dgst -sha256 -binary | \
openssl enc -base64)')
_443._tcp.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/web/cert)
_25._tcp.mail.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/mail/cert)
--->8---
(Actually the macro definition is in a separate file which is included
in the zone file. But you get the idea.)
The file is then processed by `m4 -P` and the resulting zone file is
signed by dnssec-signzone.
(The manual for GNU M4 contains a warning that M4 can be "fairly
addictive" and that its users tend to use it everywhere; I'm afraid
that's true.)
Damien
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20170219/3530925b/attachment.asc>
More information about the dane-users
mailing list