Issues with tlsa - root key and cert name verification.

[sei-vsarvepalli]

Hello Paul,

Thanks for this code. Two questions/issues for which I am happy to do a PR and provide an updated version, if they seem suitable for the TLSA generator code.

It looks like the cauldron for tlsa does not include /usr/share/dns/root.key as one of the default locations for the root key. This seems to be default with ISC Bind install for many distros.

https://github.com/letoams/hash-slinger/blob/98a6f48f8b3118c747c445f4b7b60f609f40f5bd/tlsa#L40

I am trying to use the tlsa code to automatically generate TLSA records for DNS. However it looks like the tlsa generator (--create) does not seem to have an option to verify the peer certificate before providing the TLSA records. The code right after https://github.com/letoams/hash-slinger/blob/98a6f48f8b3118c747c445f4b7b60f609f40f5bd/tlsa#L882

can basically have a verifyCertNameWithHostName(cert=chain[0], hostname=str(args.host), with_msg=True)

to validate the hostname being used matches the Certificate CN or SubjectAltName: DNS.

[stoecker]

Adding a new path does no harm.

Regarding the second topic: Displaying a mismatching hostname is probably a good idea (that could be an error), but it's optional for usage type DANE-EE that the hostname matches the certificate.

E.g. for mail servers hostname doesn't necessarily match (although I personally prefer to have all valid MX hosts included and always specify MX explicitely).