diff --git a/README.md b/README.md
index 9d59147..2e89c3f 100644
--- a/README.md
+++ b/README.md
@@ -8,6 +8,7 @@ Miscellaneous scripts for different purposes. Mostly unrelated to each other.
| Category | Script & Language | Purpose & Usage |
|:---|:---|:---|
| Automation | [`find-inactive-ssh-sessions.sh`](bin/find-inactive-ssh-sessions.sh)
Shell (bash) | Find inactive (idle) SSH sessions or kill (`-k`) them.
`find-inactive-ssh-sessions.sh [-k] [-i seconds] [-s]`
Could be used as a [workaround](https://serverfault.com/a/1162840/274176) for OpenSSH < 9.2 that did not have the [sshd_config(5)](https://man.openbsd.org/sshd_config) keywords `ChannelTimeout` & `UnusedConnectionTimeout`.|
+| DNS
DANE | [`letsencrypt-tlsa.sh`](bin/letsencrypt-tlsa.sh)
Shell (bash) | Create TLSA records from the current & backup Let's Encrypt Intermediate CAs. |
| Email | [`mail-prepender.sh`](bin/mail-prepender.sh)
Shell (bash) | Prepends (to stdin/stdout) email header strings given in as flags `i`, `I`, `a`, or `A`; after possible mbox `From` & `Return-Path` header lines. Intended as a limited `formail` replacement that ignores the nyanses of the flags and simply prepends the valid (RFC 5322, 2.2) non-empty headers keeping the other headers as is. Flags `x` & `X` are implemented. Any other flags are ignored. |
| Git | [`git-find-commits-by-file-hash.sh`](bin/git-find-commits-by-file-hash.sh)
Shell (bash) | Search Git repository history for commits with SHA-256 checksum of a file. Answers the question "Has this version of this file ever been committed as the file on this path of this Git repository?" and shows a summary (`git show --stat`) of the matching commit(s). The `path` should be relative to the repository root.
`git-find-commits-by-file-hash.sh sha256sum path`|
| Infosec | [`netcat-proxy.sh`](bin/netcat-proxy.sh)
Shell (sh) | Creates a simple persistent TCP proxy with netcat & named pipes.
`netcat-proxy.sh listenport targethost targetport` |
diff --git a/bin/letsencrypt-tlsa.sh b/bin/letsencrypt-tlsa.sh
new file mode 100755
index 0000000..eb79cf5
--- /dev/null
+++ b/bin/letsencrypt-tlsa.sh
@@ -0,0 +1,63 @@
+#!/bin/bash
+# ------------------------------------------------------------------------------
+# Create TLSA records from the current & backup Let's Encrypt Intermediate CAs
+#
+# Author : Esa Jokinen (oh2fih)
+# Home : https://github.com/oh2fih/Misc-Scripts
+# ------------------------------------------------------------------------------
+
+SOURCE="/certificates/"
+BASE_URL="https://letsencrypt.org"
+
+# Check for requirements. Print all unmet requirements at once.
+
+required_command() {
+ if ! command -v "$1" &> /dev/null; then
+ if [ -z ${2+x} ]; then
+ echo -e "\033[0;31mThis script requires ${1}!\033[0m" >&2
+ else
+ echo -e "\033[0;31mThis script requires ${1} ${2}!\033[0m" >&2
+ fi
+ ((UNMET=UNMET+1))
+ fi
+}
+
+UNMET=0
+
+required_command "openssl" "for creating TLSA records"
+required_command "curl" "for fetching data"
+required_command "grep"
+required_command "sed"
+required_command "awk"
+
+if [ "$UNMET" -gt 0 ]; then
+ exit 1
+fi
+
+# Get URLs for the Subordinate (Intermediate) CAs, including backups
+
+INTERMEDIATE_PATHS=$(
+ curl --silent "${BASE_URL}${SOURCE}" \
+ | sed '/subordinate-intermediate-cas/d' \
+ | sed '/.summary.Retired..summary./q' \
+ | grep -oE "/certs/[0-9]+/[0-9a-zA-Z]+(-cross)?.pem"
+ )
+
+if [ "$INTERMEDIATE_PATHS" = "" ]; then
+ echo "Failed to fetch certificate list from ${BASE_URL}${SOURCE}" >&2
+ exit 1
+fi
+
+# Create TLSA records
+
+while IFS= read -r path ; do
+ echo "[${BASE_URL}${path}]" >&2
+ PEM=$(curl --silent "${BASE_URL}${path}")
+ if [[ "$PEM" =~ ^[-]+BEGIN[[:space:]]CERTIFICATE[-]+ ]]; then
+ echo "$PEM" \
+ | openssl x509 -outform DER \
+ | openssl dgst -sha256 -hex \
+ | awk '{print "le-ca TLSA 2 1 1", $NF}'
+ fi
+
+done <<< "$INTERMEDIATE_PATHS"