Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 26-Jan-2025 02:16:22 JST Evan Prodromou

Why isn't the SSL cert for a server a special kind of DNS record?

In conversation about 4 months ago from cosocial.ca permalink
- Embed this notice
  :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Sunday, 26-Jan-2025 02:17:38 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:
  in reply to
  
  @evan
  Rather, why is TLSA records adapted?
  
  In conversation about 4 months ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 26-Jan-2025 02:35:39 JST Evan Prodromou
  in reply to
  - :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:
  @selea I don't understand this sentence.
  
  In conversation about 4 months ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 26-Jan-2025 02:38:10 JST Evan Prodromou
  in reply to
  - Steve Dinn 🇨🇦
  - Let's Encrypt
  @steve @letsencrypt
  https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
  In conversation about 4 months ago permalink
  Attachments
  1. Domain not in remote thumbnail source whitelist: letsencrypt.org
    
    Challenge Types
    
    When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME client, but if you need to make some more complex configuration decisions, it’s useful to know more about them. If you’re unsure, go with your client’s defaults or with HTTP-01.
- Embed this notice
  Steve Dinn 🇨🇦 (steve@social.dinn.ca)'s status on Sunday, 26-Jan-2025 02:38:11 JST Steve Dinn 🇨🇦
  in reply to
  - Let's Encrypt
  @evan It would make it a pain in the ass to have it automatically renew when it was nearing its expiration. Wait, not everyone uses @letsencrypt ???
  
  In conversation about 4 months ago permalink
- Embed this notice
  Evan Prodromou (evan@cosocial.ca)'s status on Sunday, 26-Jan-2025 02:38:37 JST Evan Prodromou
  in reply to
  - Erwan 🚄
  @R1Rail That's interesting! I will see if I can give it a try.
  
  In conversation about 4 months ago permalink
- Embed this notice
  Erwan 🚄 (r1rail@pouet.chapril.org)'s status on Sunday, 26-Jan-2025 02:38:39 JST Erwan 🚄
  in reply to
  
  @evan You can achieve this with the TLSA RR (and then you must use DNSSEC to guarantee - up to a certain kind of certainty - that the genuine DNS answer is returned)
  
  In conversation about 4 months ago permalink
- Embed this notice
  :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse: (selea@social.linux.pizza)'s status on Sunday, 26-Jan-2025 03:30:18 JST :debian: 𝚜𝚎𝚕𝚎𝚊 :opensuse:
  in reply to
  
  @evan
  TLSA (DANE) - RTC 6698.
  Storing TLS-cert in DNS is a bad idea and kinda defeats the purpose.
  However, the idea with TLSA-record is that owners of the domain can verify the "visitor" that the certificate is valid - DNSSEC required ofcourse.
  Postfix already have support for it called DANE, and if I remember correctly - about 0.3% of SMTP-servers online actually implemented it (2019 data)
  
  In conversation about 4 months ago permalink

Public

Conversation

Notices

Feeds