Confirm
298
edits
Changes
→Creating a TLSA Record
Material embedded in a TLSA record must follow the [http://tools.ietf.org/html/draft-ietf-dane-protocol-07 specification]. This involves making the decision of what to embed. As mentioned above, the embedded material may be a certificate identifying an end entity (i.e. the server clients will connect to), a certification authority's certificate (where that certificate is an ancestor of a certificate on the server), or a public key (which may correspond to either of the two situations). Then, the actual data embedded may be the full representation, a sha256 hash, or a sha512 hash. Different decisions may be appropriate for different situations.
Once the certificate type and reference type are determined, the appropriate values can be used to construct an entry must go that goes into the zone file for the DNS server that is authoritative for the domain name in question. For instance, if the sha256 hash of a public key were to be used, the entry might look like this: <nowiki>WWW.EXAMPLE.COM. 60 IN TYPE65468 \# 34 0301731050b68ae9bb14f894a0fd3c2dbe4210336942cdd69036235593ca582e787d</nowiki> This specifies a record of type 65468 (experimental number for TLSA) that is 34 bytes long. The "03" at the beginning indicates a public key, and the "01" indicates sha256. The rest is the serverhash.
== Contact ==
David Keeler (irc: keeler, email: d[irc name]@mozilla.com)
