Confirm
298
edits
Changes
→Creating a TLSA Record
== Creating a TLSA Record ==
Material embedded in a TLSA record must follow the [http://tools.ietf.org/html/draft-ietf-dane-protocol-10 specification]. This involves making the decision of what to embed. As mentioned above, the The embedded material may be a certificate identifying an end entity (i.e. the server clients will connect to), a certification authority's certificate (where that certificate is an ancestor of a trust anchor for a certificate on the server), or a public key (which may correspond to either of the two situations). Then, the actual data embedded may be the full representation, a sha256 hash, or a sha512 hash. Different decisions may be appropriate for different situations. (Again, this This information is currently undergoing change - refer to the latest draft of the specification.)
Once the certificate type and reference type are determined, the appropriate values can be used to construct an entry that goes into the zone file for the DNS server that is authoritative for the domain name in question. For instance, if the sha256 hash of a public key were to be used, the entry might look like this:
