{"id":13337973,"url":"https://github.com/nerdlem/tlsa","last_synced_at":"2026-02-21T15:22:56.874Z","repository":{"id":57552905,"uuid":"101535305","full_name":"nerdlem/tlsa","owner":"nerdlem","description":"Libraries and utilities to work with TLSA DNS RRs","archived":false,"fork":false,"pushed_at":"2020-06-30T19:13:08.000Z","size":27,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-11T08:37:41.876Z","etag":null,"topics":["certificate-pinning","certificates","dnssec","ssl","tls","tlsa","x509"],"latest_commit_sha":null,"homepage":"https://lem.click","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nerdlem.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-08-27T06:54:54.000Z","updated_at":"2020-06-30T19:13:10.000Z","dependencies_parsed_at":"2022-09-26T18:50:55.102Z","dependency_job_id":null,"html_url":"https://github.com/nerdlem/tlsa","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/nerdlem/tlsa","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdlem%2Ftlsa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdlem%2Ftlsa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdlem%2Ftlsa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdlem%2Ftlsa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nerdlem","download_url":"https://codeload.github.com/nerdlem/tlsa/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nerdlem%2Ftlsa/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29684420,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-21T14:31:22.911Z","status":"ssl_error","status_checked_at":"2026-02-21T14:31:22.570Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-pinning","certificates","dnssec","ssl","tls","tlsa","x509"],"created_at":"2024-07-29T19:15:16.613Z","updated_at":"2026-02-21T15:22:56.859Z","avatar_url":"https://github.com/nerdlem.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![GoDoc](https://godoc.org/github.com/nerdlem/tlsa?status.svg)](https://godoc.org/github.com/nerdlem/tlsa)\n[![Go Report Card](https://goreportcard.com/badge/github.com/nerdlem/tlsa)](https://goreportcard.com/report/github.com/nerdlem/tlsa)\n[![Build Status](https://travis-ci.org/nerdlem/tlsa.svg?branch=master)](https://travis-ci.org/nerdlem/tlsa)\n\n# tlsa\n\nLibraries and utilities to work with TLSA DNS RRs\n\nThis is a Go package that abstracts a few useful methods to Manage DNS TLSA record sets  via TSIG-Authenticated Dynamic Updates.\n\n```go\nimport \"github.com/nerdlem/tlsa\"\n   ⋮\n// Read a set of TSIG keys (file with well-formed KEY DNS records)\nm, err := tlsa.ReadTSIG(tsigKeyFile)\nif err != nil {\n\tpanic(fmt.Sprintf(\"Error processing TSIG key file: %s\", err))\n}\n   ⋮\n// Calculate the TLSA certificate signatures for a set of existing certificates\n// or public key files\npinCerts := []string{\"cert1.pem\", \"cert2.pem\", \"pubkey1.pem\"}\ncrtSigns, err = tlsa.CertificateSignatures(pinCerts)\nif err != nil {\n panic(err)\n}\n   ⋮\n// Delete all TLSA records associated with names in the pinNames slice\ntlsa.DeleteRRs(pinNames, m)\n   ⋮\n// Use a set of TSIG records m to pin certificates with signatures in crtSigns\n// on all domains in pinNames\npinNames := []string{\"domain1.example.com\", \"domain2.example.com\"\ntlsa.AddRR(pinNames, m, crtSigns)\n   ⋮\n```\n\n# Installation\n\nTo get the package and intall accompanying programs, simply follow these steps.\n\n```\ngo get github.com/nerdlem/tlsa\ngo install github.com/nerdlem/tlsa/tlsafromcert\n```\n\n# Using tlsafromcert to manage TLSA records\n\nIn order for `tlsafromcert` to work, you'll need your DNS zone to be configured to allow dynamic updates with `TSIG` authentication. On BIND you can add these commands to your zone definition:\n\n```bind\n   ⋮\n// This is the TSIG key. This can also be found in a separate file. See dnssec-keygen(1) for\n// information on generating this key file.\nkey \"lemdotclick-ddns-update\" {\n  algorithm HMAC-SHA512;\n  secret \"secret-key-in-Base-64==\";\n};\n   ⋮\n// The actual declaration of your zone file. The important bits are that this is a master zone\n// and the update-policy allows for dynamic updates.\nzone \"lem.click\" {\n  type master;\n  file \"path-to-your-zone-file\";\n  update-policy { grant lemdotclick-ddns-update zonesub ANY; };\n   ⋮\n};\n```\n\n`dnssec-keygen` also produces a key file. As in the case of the example above, the file would be `Klemdotclick-ddns-update.+165+\u003cnnnn\u003e.key` and it should contain a single `KEY` record. You'll need this file to complete `TSIG` authentication.\n\n## Invoking tlsafromcert\n\n`tlsafromcert` needs access to your X.509 certificates or public keys; and the `TSIG` key file to authenticate the request. You'll also need to know the IP address where your authoritative name server is listening and of course, the DNS name of the services you intend to protect with `TLSA`.\n\nTo obtain the server certificate you can use a command such as this:\n\n```\nopenssl s_client -showcerts -servername lem.click -connect lem.click:443 \u003c/dev/null 2\u003e/dev/null \\\n    | openssl x509 -outform pem \u003e lem-click.pem\n```\n\nAlternatively, you can capture the public key as follows:\n\n```\nopenssl s_client -showcerts -servername lem.click -connect lem.click:443 \u003c/dev/null 2\u003e/dev/null \\\n    | openssl x509 -pubkey -noout -outform pem \u003e lem-click-key.pem\n```\n\n\nYou can of course simply copy the right file from your server although pulling the cert from the actual web server or other service can be extremely helpful. You can easily check which DNS names are protected by this certificate as follows:\n\n```\nopenssl x509 -in lem-click.pem -noout -text | grep DNS:\n                DNS:blog.lem.click, DNS:lem.click\n```\n\nThe following shows an example of `tlsafromcert` adding all the `TLSA` records for some names protected by the certificate:\n\n```\n$ tlsafromcert -ns ns1.lem.click:53 -names blog.lem.click,lem.click -pin-certs lem-click.pem -tsig-file my-tsig.key\n$ dig +short tlsa lem.click @ns1.libertad.link\n3 1 2 08AB3⋯C296C0D\n```\n\nIn this case, a single certificate file was provided via the `-pin-certs` command line flag. Multiple certificates can be provided by separating the file names with a comma. In this case, multiple `TLSA` records would have been added to the DNS zone.\n\n## Clear all TLSA records\n\nThe `--clear-all` command line option instructs `tlsafromcert` to remove all `TLSA` records associated with a domain name. By skipping the `-pin-certs` option, no `TLSA` records are added, as in the following example:\n\n```\n$ tlsafromcert -ns ns1.lem.click:53 -names blog.lem.click,lem.click -tsig-file my-tsig.key -clear-all\n$ dig +short tlsa lem.click @ns1.libertad.link\n$\n```\n\n# References\n\n* TLSA Records [RFC-6698](https://tools.ietf.org/html/rfc6698)\n* Dynamic Updates [RFC-2136](https://tools.ietf.org/html/rfc2136)\n* TSIG Authentication [RFC-2845](https://www.ietf.org/rfc/rfc2845)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnerdlem%2Ftlsa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnerdlem%2Ftlsa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnerdlem%2Ftlsa/lists"}