Hash-slinger is a package of tools created by Paul Wouters of RedHat to make it easy to create records for the DANE protocol that will allow you to secure your SSL/TLS certificates using DNSSEC.
The package is available for Linux at:
One of the tools provided in the package is a command “tlsa” that generates TLSA records (outlined in RFC 6698). Paul Wouters showed how easy it is:
$ tlsa --create ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TLSA 3 0 1 54f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e
You can now copy that record to your DNS zone file and be in the business of publishing a TLSA record.
If your nameserver or DNSSEC-signing software does not yet support the TLSA RRtype defined in RFC 6698, you can create a “generic” record type:
$ tlsa --create -o generic ietf.org No certificate specified on the commandline, attempting to retrieve it from the server ietf.org. Attempting to get certificate from 64.170.98.30 Got a certificate with Subject: /O=*.ietf.org/OU=Domain Control Validated/CN=*.ietf.org _443._tcp.ietf.org. IN TYPE52 # 35 03000154f3fd877632a41c65b0ff4e50e254dd7d1873486231dc6cd5e9c1c1963d1e4e
The “tlsa” command also has other options for generating other types of TLSA records.