Quick reminder for myself on how to generate / update TLSA records.

~/local/src/swede/swede/swede create --output rfc --usage 1 -s 0 -m 1 www.kumari.net
No certificate specified on the commandline, attempting to retrieve it from the server www.kumari.net.
Attempting to get certificate from
M2Crypto does not support SNI: services using virtual-hosting will show the wrong certificate!
Got a certificate with Subject: /serialNumber=l/YjABq5T5eemHk7J4kqJviHIR11OOkx/OU=GT03082892/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.kumari.net
_443._tcp.www.kumari.net. IN TLSA 1 0 1 8d930a464843e08660e3fd1ddce8ed4269cc0cd9cd53a8a306bce8abcf47aef5


For the IETF one (tied to a CA)

~/local/src/swede/swede/swede create --output rfc --usage 0 -s 0 -m 1 -c ~/tmp/certs/starfield.crt www.ietf.org