Creating TLSA records (DANE Protocol)Frederic Cambus January 08, 2013 [DNS]
I recently deployed DANE (RFC 6698) on StatDNS DNSSEC Testground domain, and thus had to create TLSA records. For doing so, I used hash-slinger (which makes the process straightforward) and decided to publish this quick tutorial, mainly to serve as a memo.
We start by installing (as root) required packages to run the program, follow the instructions related to the Linux distribution you are using:
yum install m2crypto python-dns python-ipaddr unbound unbound-python
On Ubuntu, we also need to update the root and DLV anchors manually.
apt-get install python-m2crypto python-dnspython python-ipaddr unbound python-unbound unbound-anchor -a "/etc/unbound/root.key" unbound-anchor -a "/etc/unbound/dlv.isc.org.key"
We then fetch and unpack hash-slinger (at the time of writing, the latest version is 2.1):
wget http://people.redhat.com/pwouters/hash-slinger/hash-slinger-2.1.tar.gz tar xvfz hash-slinger-2.1.tar.gz cd hash-slinger-2.1
We can now create our TLSA records:
./tlsa --create www.statdns.net
Alternatively, if your DNSSEC signer does not yet support TLSA records:
./tlsa --create -o generic www.statdns.net