Practical TLSA

What's in This Post

I've heard of DANE 1 records but I've never bothered to add them to my own domains. That's because adding and maintaining those records is hard.

Recently I noticed Internet NL and their tests for determining whether your domain was hosted in a safe and modern way. They even have a Hall of Fame. I wanted to be amongst those sites that had passed all the hardening checks. Think of the glory, the adulation of my fellow nerds. Challenge accepted.

How hard could it be?

Hardening is Easy, Maintenance isn't.

It did take some effort to update all my hosts and applications to use the right configurations and to turn off insecure settings. But this was actually quite straight forward. The Internet NL site contained lots of useful information and the test pages are easy enough to understand when they detect an issue in your site.

The last test was the presence of DANE records. Did I have TLSA records for my mail and web servers?


But wait, there's sites that will help you generate TLSA records 2. So in went the contents of my certificate, out came the TLSA record. I added it to DNS, passed the test and everything is now fine.

No it isn't.

I use Let's Encrypt. Will I need to come back in 3 months or less to update my TLSA records? Yep! This is going to get really annoying.

Automating TLSA Generation

I'm not the first to tackle this problem and I'll include some of the sites I visited in my research at the end of this article. But most of the resources I found presumed a reasonably active participation on the part of the operator. I'm really lazy. Once I've automated this, that's it. I don't want to hear about TLSA ever again.

If you are the active operator type, I have a blog post that shows a quick way of generating TLSA records via Ansible.

Why is it so hard?

TLSA records and the certificate's they represent have different timings. TLSA records are subject to DNS TTLs as well as the often imprecise delay that can be incurred when changing a DNS record and that record actually being published by your DNS host.

Certificates have hard expiration dates, but are renewed well before those dates. Typically, once you renew your certificate you commence using the new certificate immediately.

The challenge with TLSA records is that you need to generate new ones when you have a new certificate, but unless you time DNS publishing and application restarts perfectly, you'll have a period of time where the two wont match. For some, that doesn't matter, but I wanted full coverage.

So the solution is to have both a TLSA record for your current certificate as well as a TLSA record for your certificate's issuer (Let's Encrypt). That means a TLSA record of 3xx and 2xx. Check out the numbers in TLSA DNS records and what they mean.

I've left some references at the end of this post which discuss the timing issues in great detail3.

Centralising Certificate Management

Ok so TLSA record management is a little complicated, what do we need?

  1. A way of automatically generating certificate challenges and fetching those certificates.
  2. A way of restarting services once those certificates have been updated.
  3. A way of updating TLSA records.

The basic design pattern most small organisations follow with Let's Encrypt or any ACME certificate is to have the account generation, challenge management and certificate storage all on an edge host. This approach is far better than no security, but for me it makes sense to centralise ACME certificate management. That article covers requirements 1 and 2 from above.

The Automation Part

To make TLSA management truly hands off, I have an Ansible TLSA role which will search hosts for their active certificates and generate the required TLSA records based on all the services which will use those certificates. Since this role will generate both 2xx and 3xx TLSA records, my DNS update timing doesn't have to be perfectly matched to my certificate management tools.

If both certificates are renewed at the same time or if I change certificate providers, I will need to get hands on again. But that's unlikely for now.

TLSA Advice and Tools

During testing, I left my playbooks in a broken state, got distracted and failed to update my TLSA record. This is actually a good thing, since I got a very helpful automated message from Victor Dukhovni containing the links below. If you want detailed information on best practices for TLSA records, these are a great place to start: