I've chosen 3 0 1 because it is more specific then 3 1 1. More material is processed to asses the validity. Though, I have to admit I use 3 1 1 myself as well because I'm lazy and don't want to roll over TLSA records every time the certificate needs to update.
Is "3 1 1" mentioned somewhere in a BCP document somewhere? If so, I'm happy to alter the defaults right away. Actually, I'm happy to change the defaults anyway unless someone is against it... We have a ldns-users list too (CC'ed). I suggest we continue this topic there (if needed). -- Willem Op 30-09-14 om 14:47 schreef A. Schulze: > Hello, > > maybe it's a little bit off topic but I think its interesting anyway. > ldns-dane as part of http://nlnetlabs.nl/projects/ldns/ > allow users to create TLSA records. By default the tool create 3-0-1 > records > > $ ldns-dane -c mail.example.org.pem create mail.example.org 25 > _25._tcp.mail.example.org. 3600 IN TLSA 3 0 1 cafe... > > Today I learned from Viktor Dukhovni it's strongly recommended to use > TLSA Records > type 3-1-1 ( Selector = SubjectPublicKeyInfo ) > > To generate recommended records I have to specify additional arguments: > $ ldns-dane -c mail.example.org.pem create mail.example.org 25 3 1 1 > _25._tcp.mail.example.org. 3600 IN TLSA 3 1 1 beef... > > Would it be possible to modify ldns-dane to simply create > the record in a recommended way? > > Thanks, > Andreas > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
