Hi, dane-users

I'd like to share that a couple of months ago I've set up tlsa.is to host always up-to-date TLSA records for Let's Encrypt and Buypass Go.

The records are generated automatically. At the time of writing they look as following:

; Let's Encrypt (https://letsencrypt.org/certificates/) _letsencrypt TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 *._letsencrypt CNAME _letsencrypt

; Buypass (https://www.buypass.com/security/buypass-root-certificates) _buypass-go TLSA 2 1 1 42519999c31433a6bcf82c4bd9399301fa180a6f9f5c0a2e033cca602c46a2cb *._buypass-go CNAME _buypass-go

Using the records is easy:

; Using CNAME for a single service _25._tcp.mail IN CNAME _letsencrypt.tlsa.is.

; Using DNAME for all services _tcp.mail6 IN DNAME _letsencrypt.tlsa.is.

More details -- and the code behind this for local deployments -- are all available at https://tlsa.is/.

I've set up automatic monitoring of the web pages where signing details are published and intend to keep this running, but any use is on own risk.

Please let me know if you have discovered an error, if some TLSA records for the supported authorities should be added, deleted or updated.

Best Kirill