DANE-TA TLSA records for LE and Buypass Go

Kirill Miazine km at krot.org
Wed Nov 25 12:52:01 CET 2020

Hi, dane-users

I'd like to share that a couple of months ago I've set up tlsa.is to
host always up-to-date TLSA records for Let's Encrypt and Buypass Go.

The records are generated automatically. At the time of writing they
look as following:

; Let's Encrypt (https://letsencrypt.org/certificates/)
_letsencrypt    TLSA 2 1 1   60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
                TLSA 2 1 1   8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
                TLSA 2 1 1   276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
                TLSA 2 1 1   b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b
                TLSA 2 1 1   e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
                TLSA 2 1 1   bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
*._letsencrypt  CNAME   _letsencrypt

; Buypass (https://www.buypass.com/security/buypass-root-certificates)
_buypass-go     TLSA 2 1 1   42519999c31433a6bcf82c4bd9399301fa180a6f9f5c0a2e033cca602c46a2cb
*._buypass-go   CNAME   _buypass-go

Using the records is easy:

; Using CNAME for a single service
_25._tcp.mail       IN  CNAME   _letsencrypt.tlsa.is.

; Using DNAME for all services
_tcp.mail6          IN  DNAME   _letsencrypt.tlsa.is.

More details -- and the code behind this for local deployments -- are all available at

I've set up automatic monitoring of the web pages where signing details
are published and intend to keep this running, but any use is on own

Please let me know if you have discovered an error, if some TLSA records
for the supported authorities should be added, deleted or updated.


    -- Kirill Miazine <km at krot.org>

More information about the dane-users mailing list