💾 Archived View for tlsa.is captured on 2022-04-29 at 12:42:10. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-03-01)

-=-=-=-=-=-=-

Always current TLSA records for Let's Encrypt & Buypass Go

About TLSA.is

TLSA.is provides a managed alternative to generating and publishing own TLSA records, which are required for DANE. TLSA.is creates, publishes and keeps current DANE-TA TLSA resource records for a number of supported Certificate Authorities (Let's Encrypt and Buypass).

Generation of the TLSA records has been integrated into the project owner's own DNS management tool navn and takes place at least weekly, just before the periodic refresh of DNSSEC signatures.

Generate TLSA records

WTF?

The TLSA DNS resource record (RR), specified in RFC 6698, is used to associate a TLS server certificate or public key with the domain name where the record is found, thus forming a "TLSA certificate association".

TLSA DNS resource records

RFC 6698

Supported Certificate Authorities

Let's Encrypt

Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group (ISRG).

TLSA.is publishes TLSA records for the intermediate certificates published by Let's Encrypt.

In order to use the TLSA resource record, a CNAME or a DNAME record pointing to _letsencrypt.tlsa.is should be published as needed, e.g.:

; Using CNAME for a single service
_25._tcp.mail		IN	CNAME	_letsencrypt.tlsa.is.

; Using DNAME for all services
_tcp.mail6		IN	DNAME	_letsencrypt.tlsa.is.

Let's Encrypt

Let's Encrypt Chain of Trust

Buypass

The Norwegian Certificate Authority Buypass provides Buypass Go as an alternative to Let's Encrypt.

TLSA.is publishes TLSA record for the issuing certificate published by Buypass. In order to use the TLSA resource record, a CNAME or a DNAME record pointing to _buypass-go.tlsa.is should be published as needed, e.g.:

; Using CNAME for a single service
_25._tcp.mail		IN	CNAME	_buypass-go.tlsa.is.

; Using DNAME for all services
_tcp.mail6		IN	DNAME	_buypass-go.tlsa.is.

Buypass

Buypass Go

Buypass Root certificates

Big Red Warning

TLSA.is solves the project owner's personal requirement. It may, however, stop working at any time – use at own risk.

Contact

Please get in touch if you have discovered an error, if some TLSA records for the supported authorities should be added, deleted or updated, or if you have any other comments or suggestions.