Skip to content

Instantly share code, notes, and snippets.

buffrr /
Last active Aug 4, 2021
Generate an x509 certificate and a TLSA record with openssl

Creating a self-signed certificate for (if you already have a certificate you can skip this step):

openssl req -x509 -newkey rsa:4096 -sha256 -days 365 -nodes \
  -keyout cert.key -out cert.crt -extensions ext  -config \
  <(echo "[req]"; 
    echo distinguished_name=req; 
    echo "[ext]";
    echo "keyUsage=critical,digitalSignature,keyEncipherment";
buffrr /
Last active Mar 18, 2021
Experimental HSD root server + external dnssec resolver

This is a proof of concept branch for fixing NSEC proofs in HSD.

Here is some example configurations for running a standalone HSD root server with an external dnssec recursive resolver! You can let bind or external unbound resolver do most of the work for resolving and validating dnssec. HSD will only be responsible for serving the root zone.

Install hsd using the blacklies branch:

git clone
cd hsd && git checkout blacklies

Keybase proof

I hereby claim:

  • I am buffrr on github.
  • I am buffrr ( on keybase.
  • I have a public key ASD5-DnOfECmyq8VITgfgYxbQNcsqqUG9mgrJCEdkx0YSwo

To claim this, I am signing this object: