Question
How to create TLSA DNS record in Plesk and adjust DANE?
Answer
- Create example.com domain in Plesk.
- Issue a Let's Encrypt certificate for this domain.
- Log into the server via SSH.
- Install hash-slinger package with the command:
# yum install hash-slinger
- Find name of the certificate file for example.com domain using a command below:
# plesk db "select cert_file from certificates where name like '%example.com%'"
+-----------+
| cert_file |
+-----------+
| scfygh0Pw |
+-----------+ - Switch to the /usr/local/psa/var/certificates/ directory:
# cd /usr/local/psa/var/certificates/
- Using the name of the certificate file from the step №5 and the next command, generate TLSA record for mail.example.com on port 25:
# tlsa --create --selector 1 -p25 --certificate scfygh0Pw mail.example.com
The output was the following:
_25._tcp.mail.example.com. IN TLSA 3 1 1 f8bda51d176a1d315eeec8a53c52febedf43319bf7c7ebbccafa9e14d9616541
- Go to Plesk > Domains > example.com > Hosting & DNS > DNS.
- Press the Add Record and using the values from the step №7, created a TLSA record for mail.example.com:
- After install Plesk DNSSEC extension by pressing Get It Free button in Plesk > Extensions > Extensions Catalog > Categories > DNS.
- Enable DNSSEC for example.com domain by pressing the Sign the DNS Zone button in Domains > example.com > Hosting & DNS > DNSSEC.
Note: Algorithm was chosen as RSASHA256
To verify the results, open https://www.mailhardener.com/tools/dane-validator, specified mail.example.com an press the Inspect button
As the result it shows the configured TLSA DNS record and reported that DANE is properly configured for mail.example.com: