[Unbound-users] suggestion for ldan-dane

Willem Toorop

2014-10-01 11:03:36 UTC

I've chosen 3 0 1 because it is more specific then 3 1 1. More material
is processed to asses the validity. Though, I have to admit I use 3 1 1
myself as well because I'm lazy and don't want to roll over TLSA records
every time the certificate needs to update.

Is "3 1 1" mentioned somewhere in a BCP document somewhere? If so, I'm
happy to alter the defaults right away.

Actually, I'm happy to change the defaults anyway unless someone is
against it...

We have a ldns-users list too (CC'ed). I suggest we continue this topic
there (if needed).

-- Willem

Post by A. Schulze
Hello,
maybe it's a little bit off topic but I think its interesting anyway.
ldns-dane as part of http://nlnetlabs.nl/projects/ldns/
allow users to create TLSA records. By default the tool create 3-0-1 records
$ ldns-dane -c mail.example.org.pem create mail.example.org 25
_25._tcp.mail.example.org. 3600 IN TLSA 3 0 1 cafe...
Today I learned from Viktor Dukhovni it's strongly recommended to use
TLSA Records
type 3-1-1 ( Selector = SubjectPublicKeyInfo )
$ ldns-dane -c mail.example.org.pem create mail.example.org 25 3 1 1
_25._tcp.mail.example.org. 3600 IN TLSA 3 1 1 beef...
Would it be possible to modify ldns-dane to simply create
the record in a recommended way?
Thanks,
Andreas
_______________________________________________
Unbound-users mailing list
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users