[Unbound-users] suggestion for ldan-dane
willem at nlnetlabs.nl
Wed Oct 1 11:03:36 UTC 2014
I've chosen 3 0 1 because it is more specific then 3 1 1. More material
is processed to asses the validity. Though, I have to admit I use 3 1 1
myself as well because I'm lazy and don't want to roll over TLSA records
every time the certificate needs to update.
Is "3 1 1" mentioned somewhere in a BCP document somewhere? If so, I'm
happy to alter the defaults right away.
Actually, I'm happy to change the defaults anyway unless someone is
We have a ldns-users list too (CC'ed). I suggest we continue this topic
there (if needed).
Op 30-09-14 om 14:47 schreef A. Schulze:
> maybe it's a little bit off topic but I think its interesting anyway.
> ldns-dane as part of http://nlnetlabs.nl/projects/ldns/
> allow users to create TLSA records. By default the tool create 3-0-1
> $ ldns-dane -c mail.example.org.pem create mail.example.org 25
> _25._tcp.mail.example.org. 3600 IN TLSA 3 0 1 cafe...
> Today I learned from Viktor Dukhovni it's strongly recommended to use
> TLSA Records
> type 3-1-1 ( Selector = SubjectPublicKeyInfo )
> To generate recommended records I have to specify additional arguments:
> $ ldns-dane -c mail.example.org.pem create mail.example.org 25 3 1 1
> _25._tcp.mail.example.org. 3600 IN TLSA 3 1 1 beef...
> Would it be possible to modify ldns-dane to simply create
> the record in a recommended way?
> Unbound-users mailing list
> Unbound-users at unbound.net
More information about the Unbound-users