AnsweredAssumed Answered

TLSA

Question asked by Dan Mahoney on Jun 11, 2015
Latest reply on Aug 20, 2015 by Curtis Blackburn

Hey all,

 

Would it make sense to have the SSL checker start checking for DANE/TLSA DNS records? (RFC6698/7218)

 

Basically, these let you put records in DNS that have the hash of your private key, which you can use instead of/in addition to the standard root certificates in-browser.

 

We publish these pretty heavily at the day job, and postfix also checks them in recent versions.  There are third-party plugins for some browsers as well, and it's on the roadmap for Mozilla, I believe.

 

Does anyone else use these?

Outcomes