Another vote for adding TLSA records. This is currently the only thing missing for me @Cloudflare. This and my registrar’s inability to add a DS for dnssec for one of my domains, but that is something you guys cannot help with
@jacco_vangent @Niklas @cscharff You can use a CNAME record to use any recoded type that Cloudflare doesn’t support. That’s because CNAME will forward all record type including A, AAAA, TLSA, MX, etc.
_443._tcp.example.com IN CNAME tlsa.example.net
For zone example.net (Let’s Encrypt TLSA in this example):
tlsa.example.net IN TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
Also, you can use “sub.example.com” instead of example.net to another DNS provider, but it is not recommended because Cloudflare doesn’t support DS record for NS and DNSSEC will not work for sub.example.com
For DNS service that supports TLSA, I recommend Google Cloud DNS since it’s very cheap.
Hey, that would be like taking one step forward and two back, native support is always preferred.
Yeah, that does not sound like an really great idea. First I would have to purchase another domain, just for absence of one record type. And the added administration.
Lack of support for the TLSA RR type is very frustrating since there is no way to fix this beyond what @ze3kr suggests in his response above. This is double bad, since DANE is the only scalable way to increase security of SMTP traffic today, regardless of what the major browser vendors decide to do. And, Cloudflare already has the best offering for cloud-based DNS, having to CNAME away from them to another vendor is nutty.
Could Cloudflare implement RFC3597 as a generic workaround for this? This would allow the use of future RR types without any additional work on Cloudflare’s part. Supporting RFC3597 would be a permanent fix those of us who want to adopt and test the bleeding edge.
@cscharff, is there a way to increase the importance/likelihood of getting either solution implemented? Thanks!
that would be truly awesome.
DNSSEC protects against DNS spoofing. TLS certificates should protect against identity spoofing in TLS connections. In reality this is subverted by hacked CAs or CAs issuing TLS certificates wrongfully. CAA RRs do not solve that problem as CAs (or hacked CAs) can ignore them. If a CAA-authorized CA issues certificates wrongfully CAA-RRs don’t help either.
TLSA ressource records publish a hash value of the currently used TLS certificate in a DNSSEC protected zone. That way a client can check if the certificate presented by a TLS server is valid.
To avoid bloating DNS zones I suggest to use CNAMES with SNI certificates, e.g.
_443._tcp.CommonName. 3600 IN TLSA 1 1 1 23ECDA1BAFF3350ADE5752800A79DAC0D91A121FCE40ED0D997B123D
_443._tcp.AlternateSubjectA. 3600 IN CNAME _443._tcp.CommonName.
_443._tcp.AlternateSubjectB. 3600 IN CNAME _443._tcp.CommonName.
_443._tcp.AlternateSubjectN. 3600 IN CNAME _443._tcp.CommonName.
I disagree with this issue being marked as solved!
Wassnet me who marked it
I check the dns record that can be created and they have just added TLSA record
Yup, I just tested it works fine
Thank you @Cloudflare for implementing this feature along with other record types.
Great news! However, for resources going through the CDN, there should be TLSA record generated automatically as the certificate is not under my control.
I agree since CF manages certificates they should also mange DANE/TLSA for said records,
Am I understanding this correctly:
If Cloudflare manages the SSL certificates (and if we want to keep it that way) it would be impractical or unwieldy to effectively implement DANE because we would have to update the TLSA record every time the SSL certificate changes?
YAY AUTO TLSA for ClodFlared traffic
well only if they change the KEY. if they make it so the key isnt rotated THAT often, the TLSA isnt too bad.
The DNSSEC KSK-rollover worked like a charm!
I vote for automatic TLSA-RR creation for Cloudflare certificates, too!
totally any service that does auto-certs should do this. PKIX-EE entries would obviously be awesome.
Any new information out there about TLSA/DANE?
Already having fully implemented DNSSEC with CloudFlare (TLD, registrar, domain).
I have tired to add the TLSA record to my existing domain, but when checking from different tools, it’s not even recognized as added or I am doing something wrong.
I have used the generator and tutorial here:
Moreover, tested with: