Closed raforg closed 3 years ago
buffrr
commented
3 years ago Love to see new DANE tools! feel free to submit a PR to add a link to your tool maybe in the DANE sites section that has Freebsd and Tor since it works with certbot only. I gave it a quick test and it does make it easier will try it on my websites at some point.
raforg
commented
3 years ago Thanks. I've submitted a PR. I've include Shumon Huque's website as well. It also has TLSA records, and contains lots of DANE tools.
rafork
commented
3 years ago Sorry about the copy-paste error in the link. There was a missing ".html". I've created a new pull request with the two sites moved into a new "DANE Tools" section.
buffrr
commented
3 years ago np merged!
Hi, This isn't an issue, just a suggestion for your README. And a shameless plug.
I expect most website admins wouldn't know how to implement DANE for their websites. It's usually only of interest to mail admins. And the learning curve is a big thing. And the payoff (for website admins) is tiny, so there's not a lot of incentive.
I've just published https://github.com/raforg/danectl which makes it super easy to use certbot to create a current + next pair of certificates, configure and generate all the TLSA 3 1 1 records you need (mail/web/whatever) for you to publish to the DNS, check that they are published, and perform rollovers.
It makes implementing DANE so easy that it might be enough to convince website admins to give it a go. Especially if they're already using certbot.
Of course, DNSSEC has to come first, but apparently 20% of new .com domains have DNSSEC, and with bind-9.16+ (like on the new stable debian-11), it has finally become incredibly easy to implement DNSSEC (only one extra line of config!).
But feel free to ignore this.