On 02/19/2017 07:20 PM, John Allen wrote:
Any suggestions as to how to get the output into my DNS (Bind9) preferably without using nsupdate.
For what it's worth, my method to insert TLSA records into my zone files is to use some M4 macros.
The idea is to "fetch" the digests from the zone file when signing it, instead of "pushing" the digests to the zone file when renewing the certificates.
So, my zone file contains something like that:
---8<--- m4_define(SPKI_DGST, `m4_esyscmd(openssl x509 -in $1 -pubkey -noout | \ openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | \ openssl enc -base64)')
_443._tcp.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/web/cert) _25._tcp.mail.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/mail/cert) --->8---
(Actually the macro definition is in a separate file which is included in the zone file. But you get the idea.)
The file is then processed by `m4 -P` and the resulting zone file is signed by dnssec-signzone.
(The manual for GNU M4 contains a warning that M4 can be "fairly addictive" and that its users tend to use it everywhere; I'm afraid that's true.)
Damien