Open gthess opened 3 years ago
Thanks. For the record: this relates to the mail conversation "Multiple DANE-EE records lead to "DANE validity failed" (last mail 28-1-2021).
Question; Would it also be possible to use openssl-s_client DANE-options (i.e. -dane_tlsa_domain domain or -dane_tlsa_rrdata rrdata) for the "DANE validity" test?
Maybe but we still depend on openssl to connect I suppose, so different dependency. Not sure if openssl can just verify the records without any connections; we can look into it.
openssl can.
$ host -t TLSA _443._tcp.internet.nl _443._tcp.internet.nl is an alias for 3.1.1.proloprod._dane.internet.nl. 3.1.1.proloprod._dane.internet.nl has TLSA record 3 1 1 EC508CAF55D1C762C972451746AF1D6C511F60E13CB1FB7A70685BCA 724E11E8
$ openssl s_client -starttls smtp -connect internet.nl:443 -dane_tlsa_domain "internet.nl" -dane_tlsa_rrdata "3 1 1 a254c1e9945af14159a815a2e74ac48eb04620d4287512950fc2bf71d7101d1e" CONNECTED(00000003)
We may be able to borrow from https://github.com/pieterlexis/swede
ldns-dane
does not support starttls. Now we call it via Python as a subprocess and we provide the certificates through standard input. This leavesldns-dane
to query the local resolver (that needs to be configured for DNSSEC) to get the TLSA records.Check if Python's tempfile module (especially the tempfile.NamedTemporaryFile) can be used to have temp files where we dump the TLSA records into and use them as input to
ldns-dane
's-t
option. The-d
option should also be used as we rely on the previous check about the DNSSEC status of the records.This would help make the results more consistent in case two different lookups end up in different nameservers, providing a different view of the DNS tree.