Skip to content

Instantly share code, notes, and snippets.

@buffrr
buffrr / x509-dane.md
Last active Aug 4, 2021
Generate an x509 certificate and a TLSA record with openssl
View x509-dane.md

Creating a self-signed certificate for example.com (if you already have a certificate you can skip this step):

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout cert.key -out cert.crt -extensions ext  -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[ext]";
    echo "keyUsage=critical,digitalSignature,keyEncipherment";
@buffrr
buffrr / hsd-blacklies.md
Last active Mar 18, 2021
Experimental HSD root server + external dnssec resolver
View hsd-blacklies.md

This is a proof of concept branch for fixing NSEC proofs in HSD.

Here is some example configurations for running a standalone HSD root server with an external dnssec recursive resolver! You can let bind or external unbound resolver do most of the work for resolving and validating dnssec. HSD will only be responsible for serving the root zone.

Install hsd using the blacklies branch:

git clone https://github.com/buffrr/hsd
cd hsd && git checkout blacklies
View keybase.md

Keybase proof

I hereby claim:

  • I am buffrr on github.
  • I am buffrr (https://keybase.io/buffrr) on keybase.
  • I have a public key ASD5-DnOfECmyq8VITgfgYxbQNcsqqUG9mgrJCEdkx0YSwo

To claim this, I am signing this object: