On Mon, Jul 13, 2015 at 09:04:34PM +0000, Abdelmeniem Tharwat wrote: > And when I try to execute dig @8.8.8.8 > _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c +dnssec TLSA, > I got the TLSA record that is identical to the hash from crt file.
Both are wrong. > The TLSA validator said that :- > > [cid:[email protected]] > > any advice !!! The correct "3 0 1" TLSA for your server is: _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 AD562370D03DFBE4EDFC4780A2367C8FD086D8A00D53A80D8EC6A8909D50DA9A What you've published is: _443._tcp.xn----ymcadjpj1at5o.xn--wgbh1c. TLSA 3 0 1 1A70DF05AC43318AB35A16542A8736D077ACE3126FAFE00508EDD7484F293C6C No idea what that is the digest of, but it is not the digest of the DER form of the server certificate. -- Viktor.
