Created
April 28, 2026 21:29
-
-
Save TheNotary/223dae804d777c503a5d2bda95a567a8 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| set -e | |
| ZONE_ID="{{ required "dnssec provider config.hostedZoneId is required" $cfg.hostedZoneId }}" | |
| HOSTNAME="{{ .Values.hostname }}" | |
| CERT_FILE="/tls/tls.crt" | |
| echo "=== DANE TLSA Record Setup for ${HOSTNAME} ===" | |
| # --------------------------------------------------------------- | |
| # Step 1: Verify TLS certificate is available | |
| # --------------------------------------------------------------- | |
| if [ ! -f "$CERT_FILE" ]; then | |
| echo "ERROR: TLS certificate not found at ${CERT_FILE}" | |
| echo "cert-manager may not have issued a certificate yet." | |
| exit 1 | |
| fi | |
| echo "Found TLS certificate at ${CERT_FILE}" | |
| # --------------------------------------------------------------- | |
| # Step 2: Compute SPKI SHA-256 fingerprint (DANE-EE 3 1 1) | |
| # --------------------------------------------------------------- | |
| # Extract the Subject Public Key Info, convert to DER, and hash with SHA-256. | |
| # This produces the TLSA "3 1 1" record value: | |
| # Usage=3 (DANE-EE), Selector=1 (SPKI), Matching-Type=1 (SHA-256) | |
| FINGERPRINT=$(openssl x509 -in "$CERT_FILE" -pubkey -noout \ | |
| | openssl pkey -pubin -outform DER \ | |
| | openssl dgst -sha256 -hex \ | |
| | awk '{print $NF}') | |
| if [ -z "$FINGERPRINT" ]; then | |
| echo "ERROR: Failed to compute SPKI fingerprint from ${CERT_FILE}" | |
| exit 1 | |
| fi | |
| echo "SPKI SHA-256 fingerprint: ${FINGERPRINT}" | |
| # --------------------------------------------------------------- | |
| # Step 3: UPSERT TLSA records for SMTP (25) and SMTPS (465) | |
| # --------------------------------------------------------------- | |
| # TLSA record format in DNS: "3 1 1 <hex fingerprint>" | |
| TLSA_DATA="3 1 1 ${FINGERPRINT}" | |
| cat > /tmp/dane-changes.json << CHANGESET | |
| { | |
| "Changes": [ | |
| { | |
| "Action": "UPSERT", | |
| "ResourceRecordSet": { | |
| "Name": "_25._tcp.${HOSTNAME}.", | |
| "Type": "TLSA", | |
| "TTL": 3600, | |
| "ResourceRecords": [{"Value": "${TLSA_DATA}"}] | |
| } | |
| }, | |
| { | |
| "Action": "UPSERT", | |
| "ResourceRecordSet": { | |
| "Name": "_465._tcp.${HOSTNAME}.", | |
| "Type": "TLSA", | |
| "TTL": 3600, | |
| "ResourceRecords": [{"Value": "${TLSA_DATA}"}] | |
| } | |
| } | |
| ] | |
| } | |
| CHANGESET | |
| echo "Submitting TLSA record changes to Route53..." | |
| aws route53 change-resource-record-sets \ | |
| --hosted-zone-id "${ZONE_ID}" \ | |
| --change-batch file:///tmp/dane-changes.json | |
| echo "DANE TLSA records created/updated successfully." | |
| echo " _25._tcp.${HOSTNAME}. TLSA ${TLSA_DATA}" | |
| echo " _465._tcp.${HOSTNAME}. TLSA ${TLSA_DATA}" | |
| echo "=== DANE setup complete ===" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment