diff --git a/gestion/gen_confs/bind.py b/gestion/gen_confs/bind.py
index 79a42d0a..94cf5d7d 100755
--- a/gestion/gen_confs/bind.py
+++ b/gestion/gen_confs/bind.py
@@ -62,14 +62,13 @@ class TLSA(ResourceRecord):
             compat: on génère un enregistement compris même par les serveurs dns n'implémentant pas TLSA
         """
         selector = 0
-        if cert is None and proto == 'tcp':
+        if cert is None and proto == 'tcp' and name[-1] == '.':
             try:
-                cert = ssl.get_server_certificate((name[:-1], port))
-                sys.stderr.write("Warning: it is not safe to retrive cert for %s through the network, consider using an other solution\n" % name[:-1])
+                cert = ssl.get_server_certificate((name[:-1], port), ca_certs='/etc/ssl/certs/ca-certificates.crt')
             except Exception as e:
                 raise ValueError("Unable de retrieve cert dynamically: %s" % e)
         elif cert is None:
-            raise ValueError("cert can only be retrive if proto is tcp")
+            raise ValueError("cert can only be retrive if proto is tcp and name fqdn")
         dercert = ssl.PEM_cert_to_DER_cert(cert)
         if not dercert:
             raise ValueError("Impossible de convertir le certificat au format DER %s %s %s\n%s" % (name, port, proto, cert))
@@ -446,6 +445,19 @@ class dns(gen_config) :
     }
 
 
+    EXTRAS = {
+        'crans.org' : [
+             TLSA('cas.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('wiki.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('perso.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('intranet.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('webmail.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('horde.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('roundcube.crans.org.', 443, 'tcp', None, 3, 2),
+             TLSA('sogo.crans.org.', 443, 'tcp', None, 3, 2),
+        ]
+    }
+
     hostname = short_name(gethostname())
     serial = int(time.time()) + 1000000000
     TTL = 3600
@@ -464,7 +476,7 @@ class dns(gen_config) :
         self.anim.iter=len(zones.values())
         for zone in zones.values():
             zone.extend(self.MXs)
-            for rr_type in [self.SRVs, self.NATPRs, self.DSs]:
+            for rr_type in [self.SRVs, self.NATPRs, self.DSs, self.EXTRAS]:
                 if zone.zone_name in rr_type.keys():
                     zone.extend(rr_type[zone.zone_name])
             for m in machines: