On Tue, May 22, 2018 at 12:30:23PM -0400, Viktor Dukhovni via Exim-users wrote:
> One small correction to the text below: > > https://tools.ietf.org/html/rfc7671#section-5.2.2 Perhaps another tweak would be useful, in the below: At the time of writing, https://www.huque.com/bin/gen_tlsa is useful for quickly generating TLSA records; and commands like $ openssl x509 -in -pubkey -noout <certificate.pem \ openssl rsa -outform der -pubin 2>/dev/null \ openssl sha512 \ awk '{print $2}' it should be emphasized that this generates hashes for "3 1 2" TLSA records. I don't think that "3 1 2" is warranted at present and DNS packet sizes should be kept as small as possible to avoid issues with dropped UDP fragments. So I would instead recommend "3 1 1", i.e. a "sha256" rather than "sha512" hash. The command would be (no longer RSA-specific, at the cost of requiring OpenSSL 1.0.0 or later): $ fqdn=$(uname -n) # or some manually entered name $ hash="$( openssl x509 -in -pubkey -noout -in certificate.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | hexdump -ve '/1 "%02x"' )" $ empty=$( openssl dgst -sha256 -binary </dev/null | hexdump -ve '/1 "%02x"' )" $ if [ "$hash" != "$empty" ]; then printf "_25._tcp.%s. IN TLSA 3 1 1 %s\n" "$fqdn" "$hash" fi This also checks that the hash is not the hash of an empty input, due to failure of "openssl x509" and/or "openssl pkey". -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/