retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at
Wed Feb 12 18:23:47 UTC 2020

Am 12.02.20 um 19:02 schrieb Paul Wouters:
> On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote:
>> The tool can from now on also be downloaded from 
>> or
> You are aware of hash-slinger's "tlsa" command to generate / verify TLSA
> records? It of course insists the TLSA records are secured by DNSSEC,
> but it has a --insecure option if you want to test it before your domain
> is secured by DNSSEC.
> Paul

hash-slinger's "tlsa" command? I have never heard of it. I just have the 
libunbound library here. I do not even have the unbound-host executable 
here which you mentioned in my previous mail.

The atea tool I am already offering for download is something like a 
light weight curl or wget for https/DANE without html support. It can be 
used to download files though. As far as I have tested it, neither curl 
nor wget allow to specify a server certificate. You have to specify a 
certification authority which then grants access to all server 
certificates signed by this CA which may be direly unsafe. That was the 
reason why I wrote atea. The tool already works well. It offers the 
continuation of previously interrupted downloads among other features. 
The only things that do not work yet are a download progress screen as 
well as automatic restarts on stalled or interrupted connections. 
However  I believe this is a minor issue. The tool can be used to 
download securely automatically verifying the server certificate via 
DANE. DANE is of high value. Since I have a boot stick where Firefox is 
preconfigured with DANE verified certifiicates for and dozens of people have replied me who said that they did 
not receive my emails before. It seems to be 100% rootkit safe. 
Unfortunately my development environment is not. It is rootkitted which 
can be proven with a tool called 
Any new installation will also be rootkitted within the fraction of a 
second as soon as I open a browser and visit a site not verified via 
DANE. As you may know from the Snowden revelations the NSA is running 
mirror servers for many public websites which infect the users who visit 
them. These sites are using rogue certificates. If you wanna see such a 
certificate visit and download the true and 
the rogue certificate that is known for this site. Though I am planning 
to finish the development of atea some time I would welcome some testing 
by independent users before! The problem is that I can only go on with 
development once I have set up an offline computer with mininet to 
simulate a network because as I have told you before US intelligence is 
blocking me from continuing my online development effort.

I am looking forward to hear your comments/ responses on the program.

More information about the Unbound-users mailing list