retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at
Thu Feb 13 13:43:18 UTC 2020

For Firefox they do intentionally not fix the flaw that you can not
configure server certificates which use HSTS: I suspect them
being paid by intelligence because otherwise they would not forcefully
implement a bug like this (previous versions of FF were good). I do
not know how the situation is with wget and curl but the fact that you
can not set a server certificate by a command line switch at all
points in the same direction. Why are there dozens of switches to
configure certification authorities but not a single switch for a
server certificate then? The way things are now all of these projects
are not trustworthy all together.

2020-02-12 20:57 GMT+01:00, Paul Wouters <paul at>:
> On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote:
>> hash-slinger's "tlsa" command? I have never heard of it. I just have the
>> libunbound library here. I do not even have the unbound-host executable
>> here
>> which you mentioned in my previous mail.
>> The atea tool I am already offering for download is something like a
>> light
>> weight curl or wget for https/DANE without html support. It can be used
>> to
>> download files though.
> Oh I see. That is different then. The tlsa command is used to generate
> or verify certificates with their DNSSEC TLSA record entries. It
> supports both websites and mailservers.
> A tool that adds curl/wget support for TLSA is cool. although cooler
> would be if curl/wget get native support of course :) Maybe Viktor
> knows more about curl with openssl/tlsa support?
> Paul

More information about the Unbound-users mailing list