5

I'd like to set up DANE for the domain which handles my email. My domain is registered at OVH, and I'm using their anycast DNS servers. They do support DNSSEC, but not TLSA records.

Is there a fallback record type I can use? (like I can use TXT if the server doesn't support SPF etc)

GDR
  • 329
  • 4
  • 14
  • It's not the DNS server which does not support DANE/TLSA (all of them do, at worst as unknown data types), it is the Web interface of the DNS hoster, I presume? – bortzmeyer Jun 19 '14 at 14:13
  • No, not really, they even allow editing raw zone files but adding TLSA records results in a bind error displayed in the web interface. – GDR Aug 12 '14 at 10:37
  • I recall there being some way, come to think of it, to add RRs by RRtype number but I don't recall how, or if it will work in this case. – Falcon Momot Aug 22 '14 at 18:51

2 Answers2

6

I've been able to do it on OVH by generating a "generic" record (with TYPE52 instead of TLSA). This can easily be done using hash-slinger:

$ tlsa --usage 1 --selector 1 --mtype 1 --output generic --certificate /path/to/certificate.pem example.com
_443._tcp.example.com. IN TYPE52 \# 35 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef012345

Adding this record in the OVH manager works just fine.

Schnouki
  • 176
  • 1
  • 4
3

No.

The use of TXT for this in the case of SPF was done to allow for broader implementation, but it is not a general scheme, and there are disadvantages to that approach which preclude its standardization (mostly increased application complexity but there are other reasons).

If you need support for unusual RRtypes (which at the moment TLSA is), the best thing to do is to host your own authoritative nameservers.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92