Hi Dan, On 09/26/2012 08:27 PM, Dan York wrote: > If we had a page that was a simple set of steps it would be something > we could pass around and encourage people to consider doing. I'm > thinking of something like: > > Existing certificate: > - get a copy of your TLS certificate > - generate the appropriate hash using ____ > - create a DNS record that looks like "........." > - publish record (including DNSSEC signing) and celebrate > > New certificate > - generate a new TLS certificate using ____ > - install certificate in your web server (perhaps assume Apache for > the tutorial) > - generate the appropriate hash using ____ > - create a DNS record that looks like "........." > - publish record (including DNSSEC signing) and celebrate > > Now those steps may not be complete... this is just a first thought... > and given that I've never deployed a TLSA record (but would like to) I > don't know the exact steps.
Looks good to me. Appendix A.4 of RFC 6698[0] describes the way to do it (it is similar to DNSSEC key-rollover). I would recommend reading Appendix A in full to understand the implication of certain choices of matching type and selector. As for tooling, I wrote a (proof of concept) tool called 'swede'[2] in January of this year (and updated it when needed). It has been used to create the Examples (Appendix C) in RFC 6698. The code is a bit messy, but it works. I'm currently re-implementing it in a more maintainable fashion (hopefully finished within a few weeks, but you never know). > Even if someone could sketch out the basic outline of the commands one > would use for the steps above, I'd be glad to write some text narrative > explaining the commands. I'd say try: swede and ask me or the mailing list for feedback when you publish your articles. Cheers, Pieter 1 - http://tools.ietf.org/html/rfc6698#appendix-A.4 2 - https://github.com/pieterlexis/swede _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
