Deploy360 Domain Name System Security Extensions (DNSSEC) To archive Transport Layer Security (TLS)

Hash-slinger Helps You Easily Create TLSA records for DNSSEC / DANE

If you are looking to get started with the DANE protocol to provide higher security for SSL/TLS certificates, a basic question can be – how do you generate a TLSA record to put in your DNS zone file?

As we outlined before, there are a number of different tools you can use.  One that is perhaps the simplest, though, is a package for Linux from Paul Wouters called “hash-slinger” that is available at:

One of the tools provided in the package is a command “tlsa” which does exactly what you might think – generate the TLSA record!  Paul showed how easy it is:

$ tlsa --create
No certificate specified on the commandline, attempting to retrieve it from the server
Attempting to get certificate from
Got a certificate with Subject: /O=* Control Validated/CN=* IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

That’s it!  Now you can copy that record to your DNS zone file and you will be in the business of publishing a TLSA record!

Well, okay, it might not be that simple.  If your nameserver or DNSSEC-signing tool doesn’t yet support the TLSA record (outlined in RFC 6698), you might need to add a “-o generic” flag onto the command line to get the appropriate record. And you might want to add on more options, as Shumon Huque did in his walk-through of setting up a TLSA record.

The key is that this tool is out there and can help all of us interested in getting the DANE protocol more widely deployed to start getting TLSA records more visible. Kudos to Paul for developing the tool and making it available.

If you use SSL/TLS on your sites, and you have your domain signed with DNSSEC, why not go the extra step and get a TLSA record out there?