[enhancement]: Generate TLSA Records for DANE

[sirrkitt]

Which feature or improvement would you like to request?

I recently discovered this project—cf-tlsa-acmesh written in Go that works with acme.sh to generate TLSA keys (and rollover keys). This would make it a lot simpler to rollout DANE for many servers.

I think this would be possible to lump together with #368 when/if there is ever support for automatically managing DNS records.

Is your feature request related to a problem?

I'm having a problem with...

Code of Conduct

• I agree to follow this project's Code of Conduct

[williamdes]

@mdecimus is it possible to have the option where it uses the CA and not the cert signature ?
Or is it the one that was implemented.
Because managing the rotation without the automation each 90 days is a nightmare.

[mdecimus]

Do you mean displaying the TLSA entries for trust anchors (type 2)? If you mean using the SubjectPublicKeyInfo rather than the entire certificate, both selectors are provided.

[williamdes]

Yes type 2

[yannikbloscheck]

An alternative could also be to have an option to keep using the same the private key for each Let's Encrypt certificate renewal. Then 3-1-1 should also work without having to change the record every 90 days.

[williamdes]

Since there Is already DNS access it should be relatively easy to manage this value automatically

[yannikbloscheck]

Since there Is already DNS access it should be relatively easy to manage this value automatically

Only if you use the DNS update feature like for DNS-01 though. For example I can't use it, because that isn't supported by my provider. Even if it was supported and I could theoretically automate it, I probably wouldn't, because for me giving any tool direct access to manipulate my DNS records is just another possible security risk I would like to avoid.
I agree though that it would be a good addition for people, who already use the DNS update feature anyway, to also have their TSLA record managed that way.

[mdecimus]

Done:

[marcoxyz123]

Hello mdecimus,

We should only use 2 1 1 & 3 1 1 or by choice 2 1 2 & 3 1 2 (if sha512 is necessary) with letsencrypt.

If the certificate gets renewed only the 3 1 1 entry needs to be updated in DNS. Delete all other entrys and check with:

https://www.huque.com/bin/danecheck (give port 25, smtp, DANE-EE )

https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022

Best regards,
Marco

[mdecimus]

Hi Marco,

The webadmin will include all options, but you can decide which ones to add to your DNS server.

[marcoxyz123]

Hi Marco,

The webadmin will include all options, but you can decide which ones to add to your DNS server.

Maybe for the "Not So" expert admins it could be marked green which are recommended or minimal required ;-).

[mdecimus]

This will be added to the documentation. But once dynamic DNS updates are implemented I was thinking about hiding all the extra TLSA records under a "Show All" checkbox or something.

[marcoxyz123]

This will be added to the documentation. But once dynamic DNS updates are implemented I was thinking about hiding all the extra TLSA records under a "Show All" checkbox or something.

That makes sense, I saw you changed the bug to enhancment for the technical domains #463.

LG Marco