On Feb 19, 2017, at 2:02 PM, Damien Goutte-Gattat dgouttegattat@incenp.org wrote:
---8<--- m4_define(SPKI_DGST, `m4_esyscmd(openssl x509 -in $1 -pubkey -noout | \ openssl rsa -pubin -outform DER | \ openssl dgst -sha256 -binary | \ openssl enc -base64)')
_443._tcp.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/web/cert) _25._tcp.mail.example.com. IN TLSA 3 1 1 SPKI_DGST(/path/to/mail/cert) --->8---
Are you sure that base64 works in this context??? The presentation format for TLSA records is hex encoded. I use:
hexdump -ve '/1 "%02X"'
where you're using "openssl enc -base64"
(The manual for GNU M4 contains a warning that M4 can be "fairly addictive" and that its users tend to use it everywhere; I'm afraid that's true.)
Long ago I too was an m4 addict, but then I kicked the habit... :-)
That said, this implementation looks sensible.