While adding TLSA records might seem like a "costly" process due to its complexity, the actual financial cost is usually negligible, with the main expense being the time and effort required to manage them correctly.
Before applying TLSA records, DNSSEC needs to be enabled and functional on the domain. TLSA records can only be trusted if DNSSEC is enabled, as they rely on DNSSEC signatures for validation.
First you may want to find out what you dealing with, is it named or pdns. To locate named for example inside yours Linux installation
You can use the whereis command or the command -v command in your terminal to confirm the installation location of the named binary. The whereis command will search predefined directories for the program, while command -v will display the full path of the executable. For example,
Code: Select all
whereis namedCode: Select all
command -v namedUsing a terminal find yours zone files.
In a standard Linux installation of BIND, the DNS zone files are typically located in the /var/named directory. Specifically, the zone files for a domain like "example.com" might be stored in a file named master-example.com within this directory.
1. As example use this time pdns where you can manually open interesting you zone file for example in nano
Code: Select all
cd /var/named
ls
nano example.com.db2. Can use command
Code: Select all
pdnsutil dnsupdate example.com --type TLSA --name _25._tcp.example.com --ttl 3600 --content "3 0 1 somehash"You most welcome to check out our forum score at Huque to see how this should be setup correctly.
We use danpol.co.uk as Email provider with TLSA enabled.
Must remember when choosing between pdns and named:
PowerDNS supports DNSSEC in DNS clustering, while BIND does not.