Creating TLSA records (DANE Protocol)

Frederic Cambus January 08, 2013 [DNS]

I recently deployed DANE (RFC 6698) on StatDNS DNSSEC Testground domain, and thus had to create TLSA records. For doing so, I used hash-slinger (which makes the process straightforward) and decided to publish this quick tutorial, mainly to serve as a memo.

We start by installing (as root) required packages to run the program, follow the instructions related to the Linux distribution you are using:

Fedora:

yum install m2crypto python-dns python-ipaddr unbound unbound-python

Ubuntu:

On Ubuntu, we also need to update the root and DLV anchors manually.

apt-get install python-m2crypto python-dnspython python-ipaddr unbound python-unbound

unbound-anchor -a "/etc/unbound/root.key"
unbound-anchor -a "/etc/unbound/dlv.isc.org.key"

We then fetch and unpack hash-slinger (at the time of writing, the latest version is 2.1):

wget http://people.redhat.com/pwouters/hash-slinger/hash-slinger-2.1.tar.gz
tar xvfz hash-slinger-2.1.tar.gz
cd hash-slinger-2.1

We can now create our TLSA records:

./tlsa --create www.statdns.net

Alternatively, if your DNSSEC signer does not yet support TLSA records:

./tlsa --create -o generic www.statdns.net