Is it possible to create DANE TLSA records when the DNS server doesn't support it?

tls dnssec

I'd like to set up DANE for the domain which handles my email. My domain is registered at OVH, and I'm using their anycast DNS servers. They do support DNSSEC, but not TLSA records.

Is there a fallback record type I can use? (like I can use TXT if the server doesn't support SPF etc)


I've been able to do it on OVH by generating a "generic" record (with TYPE52 instead of TLSA). This can easily be done using hash-slinger:

$ tlsa --usage 1 --selector 1 --mtype 1 --output generic --certificate /path/to/certificate.pem example.com
_443._tcp.example.com. IN TYPE52 \# 35 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345

Adding this record in the OVH manager works just fine.


No.

The use of TXT for this in the case of SPF was done to allow for broader implementation, but it is not a general scheme, and there are disadvantages to that approach which preclude its standardization (mostly increased application complexity but there are other reasons).

If you need support for unusual RRtypes (which at the moment TLSA is), the best thing to do is to host your own authoritative nameservers.

Related

How do I "sudo -i" specific command
ext3/ext4 physical block size view
Where to install ESXi so that all local drives are available to VSAN
Kill all currently running cron jobs
Can workstations from completely separate domain access a WSUS server?
Can I set a CNAME to point to the CNAME of a separate domain [duplicate]
What is the extra data specified in a DNS entry called?
PHP install on clean Amazon Linux AMI
Is PHP 5.3.3 on RHEL 6.5 receiving security fixes?
Lost passwordless sudo and no root access
Fastest way to move a large file from an ESXi host to another
Continuously monitor the postfix Mailqueue (real time)