I have managed to get for most of my domains DNSSEC setup
This may help if you looking to get DNSSEC setup https://www.icann.org/resources/pages/deployment-2012-02-25-en
And would like to set TLSA record for the OTHER domains that have in MIAB
as box.domain.name already has TLSA record, but all the additional domains added
Am I right that the reason DNS TLSA RR for secondary domains is not implemented is that because the Let’s Encrypt certs change every 90 days and there would have to mechanism build in to renewing the DNS TLSA RR every 90 days as well?
Could someone explain to me HOW could I manually add
(I know I may have to generate the DNS TLSA RR when Let’s Encrypt certs are renewed)
the TLSA Record for the secondary domain onto the MIAB install please?
I have found how to generated them
openssl s_client -showcerts -connect debian.org:443 -servername debian.org < /dev/null | openssl x509 -outform PEM
Tried this and as expected fail on secondary domains:
ldns-dane verify box.domain.name 443
ldns-dane verify myname.domain 443
And got for box.domain.name
188.8.131.52 dane-validated successfully
2a01:1:1:1::11 dane-validated successfully
And this for secondary domain:
Warning! No TLSA records for _443._tcp.myname.domain. were found.
PKIX validation without DANE will be performed.
184.108.40.206 did not dane-validate, because: Could not PKIX validate
2a01:1:1:1::11 did not dane-validate, because: Could not PKIX validate
So is it as simple as executing? I do not want to break the box
ldns-dane create domain.name 443 3 0 2
Oh sorry you’re talking about TLSA records for HTTPS, rather than for SMTP. Well, yes, they would need to be updated whenever the TLS certificate changes, which with Lets Encrypt would be every few months. But the reason we don’t create them is that no web browser checks them.
I don’t think the box will let you set it, but if you manage to set it correctly - it’s fine, it won’t interfere with anything.
Yes, I am talking about DNS TLSA RR for HTTPS as per my previous post over here
You are right at the moment browsers do not check it, but there is a add-on “DNSSEC/TLSA Validator” for (Firefox not currently working on v 57+, Internet Explorer (IE), Mozilla Firefox (MF) , Google Chrome/Chromium (GC), Opera (OP), Apple Safari (AS) are supported.) that will check both the DNSSEC and TLSA records of the domain you viewing in your web browser.
So when I run System -> Status Checks I am notified with the message:
“This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS record, you must follow the instructions provided by your domain name registrar”.
I know this is optional, but if you have an option to set DNSSEC for all the domain names and added to MIAB, would it make sense since the DNS TLSA RR for HTTPS is here to implement it in MIAB as well as on optional extra?
Would it need a loot of work to implement the DNS TLSA RR for HTTPS in System -> Status Checks page?
Or would it be possible to make it available in Custom DNS section as a “TLSA” Type along the A, AAAA, CAA, CNAME, TXT, MX, SRV, SSHFT and NS for those who would like to set it up?
If it is not feasible, can someone at lease help me to implement in my set-up correctly for the HTTPS please?