Quick reminder for myself on how to generate / update TLSA records.
~/local/src/swede/swede/swede create --output rfc --usage 1 -s 0 -m 1 www.kumari.net No certificate specified on the commandline, attempting to retrieve it from the server www.kumari.net. Attempting to get certificate from 198.186.192.250 M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate! Got a certificate with Subject: /serialNumber=l/YjABq5T5eemHk7J4kqJviHIR11OOkx/OU=GT03082892/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.kumari.net _443._tcp.www.kumari.net. IN TLSA 1 0 1 8d930a464843e08660e3fd1ddce8ed4269cc0cd9cd53a8a306bce8abcf47aef5
For the IETF one (tied to a CA)
~/local/src/swede/swede/swede create --output rfc --usage 0 -s 0 -m 1 -c ~/tmp/certs/starfield.crt www.ietf.org