DANE-TA TLSA records for LE and Buypass Go
km at krot.org
Wed Nov 25 12:52:01 CET 2020
I'd like to share that a couple of months ago I've set up tlsa.is to
host always up-to-date TLSA records for Let's Encrypt and Buypass Go.
The records are generated automatically. At the time of writing they
look as following:
; Let's Encrypt (https://letsencrypt.org/certificates/)
_letsencrypt TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b
TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
*._letsencrypt CNAME _letsencrypt
; Buypass (https://www.buypass.com/security/buypass-root-certificates)
_buypass-go TLSA 2 1 1 42519999c31433a6bcf82c4bd9399301fa180a6f9f5c0a2e033cca602c46a2cb
*._buypass-go CNAME _buypass-go
Using the records is easy:
; Using CNAME for a single service
_25._tcp.mail IN CNAME _letsencrypt.tlsa.is.
; Using DNAME for all services
_tcp.mail6 IN DNAME _letsencrypt.tlsa.is.
More details -- and the code behind this for local deployments -- are all available at
I've set up automatic monitoring of the web pages where signing details
are published and intend to keep this running, but any use is on own
Please let me know if you have discovered an error, if some TLSA records
for the supported authorities should be added, deleted or updated.
-- Kirill Miazine <km at krot.org>
More information about the dane-users