Feature Request: Create and update TLSA Entries

[gdnmhr]

This has already been discussed in this issue: https://github.com/caddyserver/caddy/issues/5892#issuecomment-1854172687 and the related pull request: https://github.com/caddyserver/caddy/pull/6025#pullrequestreview-1807861718 However, both of those have been closed and there seems to be no current issue to track this request.

In order to support DANE, a TLSA record is needed which needs to be updated every time the certificate changes (https://datatracker.ietf.org/doc/html/rfc6698). One way to avoid this is to disable the rotation of the private key which is not an ideal solution. Another option is to only use DANE-TA which also is not ideal.

Ideally, Caddy would use the existing DNS integrations to automatically create and rotate the TLSA entries whenever a new certificate is obtained. The deployment of the new certificate should be delayed until the new record has propagated.

[maheshbhatiya73]

Hi! I wanted to share that I’ve implemented a custom Caddy HTTP handler module that logs TLSA DNS records derived from client certificates. While it doesn’t yet automate DNS TLSA record creation or rotation, it could be a useful building block or reference for further work in this area.

I agree that seamless TLSA record management tied to certificate lifecycle would be ideal, possibly integrated with Caddy’s DNS provider APIs to update TLSA records automatically before certificate deployment.

If you’re interested, I can share the code or collaborate on evolving this functionality further.