I'm happy to announce that LetsDNS release 1.2.0 is now available
and ready for public use. Version 1.2.0 introduces support for
more TSIG key algorithms for dynamic DNS updates.
Website: https://letsdns.org
GitHub : https://github.com/LetsDNS/letsdns
PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with
only a few lines of configuration. It supports multiple domains with
multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like dehydrated or certbot. It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
I'd appreciate you taking LetsDNS for a leisurely spin, and letting me
know of your experiences. GitHub discussions/issues are preferred, but
you can also send mail to "author at letsdns dot org".
Enjoy.
-Ralph
There are still ~250 MX hosts with DANE TLSA records that match the
retired X3 or X4 Let's Encrypt CAs. Perhaps also other retired CAs,
but these are the ones I'm tracking at:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Please take care to avoid DANE TLSA records with the below usage,
selector, matching type and associated data combinations:
CA TLSA Records of retired CAs to avoid
X3 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
X4 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
X3 2 0 1 731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568
X3 2 0 1 25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D
X4 2 0 1 5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4
X4 2 0 1 A74B0C32B65B95FE2C4F8F098947A68B695033BED0B51DD8B984ECAE89571BB6
X3 2 1 2 774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140
X4 2 1 2 A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C96270AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594
X3 2 0 2 5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D56C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686
X3 2 0 2 2E1E12DACB350E69317A7F37D769F46F16F437CF8D392319279C93515E5600BAED3D3ACD5DC83B673E8C60CF7FBA0DCE00A4D162A3B966A3EBF72487C376FCA0
X4 2 0 2 74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C062A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5
X4 2 0 2 964468A5C685F305AA5865C049D814770B844DF2CF7645F9A4AFAF42957E334BCF1F290BABAAFE020C4E9A68C5689D570E37F11114FFD676C95B17B3D768B932
The reason that there are pairs of "2 0 1" and "2 0 2" records is that
the X3 and X4 CAs were initially signed by DST and later by ISRG. All
certificates issued via "X3" have long expired, and all replacements are
using "R3" or "E1".
And of course if some other CA you've listed and haven't check up on
sinc has since been retired, be sure to delist it as well.
DANE TLSA records are not "deploy and forget", they need to be actively
monitored. Both to make sure that at least one matches, and to not
forget to age out any that no longer match and might be stale.
Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org)
is neither timely nor reliable (~24 hours notification delay, if the
domain is included in the survey and a responsive domain contact can be
found).
--
Viktor.
P.S.
While I have your attention, please also read:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
and perhaps consider using "danebot":
https://github.com/tlsaware/danebot
Dear DANE users,
Validating the SMTP DANE setup of, it results in success but the details
show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not
trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not
trusted: (27)
It’d be great if you pointed me into the direction, how to get more
details for these issues.
Kind regards,
Paul
[1]: https://dane.sys4.de/smtp/mx2.molgen.mpg.de
[2]: https://dane.sys4.de/smtp/molgen.mpg.de
