From 415f95b7921ced371b3592f582dbb9be883d5444 Mon Sep 17 00:00:00 2001
From: PortableTech <doug@onewebplace.com>
Date: Sun, 12 Jul 2015 11:12:34 -0400
Subject: [PATCH] Add TLSA record for HTTPS connections.

While not widely supported, there are some browser addons that can
validate DNSSEC and TLSA for additional out-of-band verification of
certificates when browsing the web.  Costs nothing to implement and
might improve security in some situations.
---
 management/dns_update.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/management/dns_update.py b/management/dns_update.py
index 120c77ee..e15cabc8 100755
--- a/management/dns_update.py
+++ b/management/dns_update.py
@@ -170,6 +170,9 @@ def build_zone(domain, all_domains, additional_records, www_redirect_domains, en
 		# Add a DANE TLSA record for SMTP.
 		records.append(("_25._tcp", "TLSA", build_tlsa_record(env), "Recommended when DNSSEC is enabled. Advertises to mail servers connecting to the box that mandatory encryption should be used."))
 
+		# Add a DANE TLSA record for HTTPS, which some browser extensions might make use of.
+		records.append(("_443._tcp", "TLSA", build_tlsa_record(env), "Optional. When DNSSEC is enabled, provides out-of-band HTTPS certificate validation for a few web clients that support it."))
+
 		# Add a SSHFP records to help SSH key validation. One per available SSH key on this system.
 		for value in build_sshfp_records():
 			records.append((None, "SSHFP", value, "Optional. Provides an out-of-band method for verifying an SSH key before connecting. Use 'VerifyHostKeyDNS yes' (or 'VerifyHostKeyDNS ask') when connecting with ssh."))