Re: [dane] Anyone interested in writing a DANE tutorial?

Paul Wouters <paul@cypherpunks.ca> Wed, 26 September 2012 22:15 UTC

Return-Path: <paul@cypherpunks.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BA3821F84FE for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 15:15:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[AWL=-0.250, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yK4YGU2twv3X for <dane@ietfa.amsl.com>; Wed, 26 Sep 2012 15:15:13 -0700 (PDT)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) by ietfa.amsl.com (Postfix) with ESMTP id 0E4B721F84FA for <dane@ietf.org>; Wed, 26 Sep 2012 15:15:12 -0700 (PDT)
Received: by bofh.nohats.ca (Postfix, from userid 500) id D12DA804BA; Wed, 26 Sep 2012 18:15:10 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id C1E7A80447; Wed, 26 Sep 2012 18:15:10 -0400 (EDT)
Date: Wed, 26 Sep 2012 18:15:10 -0400
From: Paul Wouters <paul@cypherpunks.ca>
X-X-Sender: paul@bofh.nohats.ca
To: Dan York <dan-ietf@danyork.org>
In-Reply-To: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org>
Message-ID: <alpine.LFD.2.02.1209261809490.9988@bofh.nohats.ca>
References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org>
User-Agent: Alpine 2.02 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; format="flowed"; charset="ISO-8859-15"
Content-Transfer-Encoding: 8bit
Cc: IETF DANE WG list <dane@ietf.org>
Subject: Re: [dane] Anyone interested in writing a DANE tutorial?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Sep 2012 22:15:13 -0000

On Wed, 26 Sep 2012, Dan York wrote:

> To this last point about getting more TLSA records published, would anyone be interested in writing a step-by-step tutorial for how
> to publish a TLSA record?  Or collaborating on writing one?

My slidedeck from Linux Security Summit 2012 had that information.
I'll also be presenting about this at SecTor and ICANN.

> Even if someone could sketch out the basic outline of the commands one would use for the steps above, I'd be glad to write some
> text narrative explaining the commands.

yum | apt-get install hash-slinger (from http://people.redhat.com/pwouters/hash-slinger )

[paul@bofh]$ tlsa --create ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

Or use -o generic, to get the record in generic format for those
nameserves or signers that do not yet support the TLSA RRtype:

[paul@bofh]$ tlsa --create -o generic ietf.org
No certificate specified on the commandline, attempting to retrieve it from the server ietf.org.
Attempting to get certificate from 64.170.98.30
Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org
_443._tcp.ietf.org. IN TYPE52 \# 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e

Paul