Hi,
I see most GNOME services have DNSSEC enabled and use Let’s Encrypt. Could you publish some TLSA DNS records?
For example, here’s a good TLSA record that will match your *.gnome.org
main wildcard certificate, and it will continue to match without modification as long as you keep using the same public key pair when you renew your certificate:
_443._tcp.gnome.org. IN TLSA 3 1 1 4895c16a566b68e706fbae4a853c2f3dfd74ac6d6d9c1430c3dee021f162b7b2
This was generated on a Debian machine with the command tlsa -c gnome.org --usage 3 --selector 1 --mtype 1
. Here --usage 3
means that we’re storing data on your actual certificate and that users don’t have to trust Let’s Encrypt as long as your TLSA record is published, --selector 1
means we’re matching just the public key and not your actual certificate (so the DNS record can remain valid when you get a new cert with the same key pair), and --mtype 1
means that we’re storing a SHA-256 hash instead of the whole public key.