Non-existent "TLSA Records" (DANE) for naked domain name "domain.name"

I wonder if there is any chance to add certificate that would correspond to TLSA record for the naked domain name.

I am using https://www.dnssec-validator.cz/ ADD-ON in Firefox that would display if DNSSEC/TLSA are set properly.

But at the moment when I go to “box.domain.name/mail” DNSSEC and TLSA are set properly,
but when I go to “domain.name/mail” (which is easier) then I would get “Non-existent TLSA Record”.

It is shorter to type “domain.name/mail” rather than “box.domain.name/mail”

So would it be possible to create as well TLSA record for naked domain name “domain.name”?
Is it possible to create TLSA record for naked domain name “domain.name”?

I found this article
https://enter.thewhiterabbit.space/create-and-validate-tlsa-records-dane/
that explains how to generate DNS TLSA records (DANE)

but when looking at the certificate /home/user-data/ssl/domain.name-20180101-87ca421.pem
there is two in that file, which cert is it, the top one or bottom?

This topic was automatically closed after 61 days. New replies are no longer allowed.