search

shuque / dane

Go library for DANE authentication
MIT License
21 stars 7 forks source link

What am I doing wrong? #1

Closed fiatjaf closed 2 years ago

fiatjaf commented 2 years ago

I'm trying to check if I can introduce the ability of making requests to DANE-powered addresses in an app I have (I'm not very familiar with DANE and I'm not sure this even makes sense, but I'm just playing with it) and then I'm trying to test this library as a drop-in replacement to my http.Transport TLS thing.

The problem is that the only two DANE domains I know, falci.me and www.huque.com, return Okdane == false and Okpkix == true.

This is the code I'm using:

package main  

import (  
    "context"  
    "fmt"  
    "log"  
    "net"  
    "net/http"  
    "strconv"  
    "strings"  

    "github.com/shuque/dane"  
)  

func main() {  
    t := &http.Transport{  
        DialTLSContext: func(ctx context.Context, network, addr string) (net.Conn, error) {    
            spl := strings.Split(addr, ":")  
            host := spl[0]  
            port, _ := strconv.Atoi(spl[1])  

            conn, s, err := dane.ConnectByNameAsync(host, port)  

            if err != nil {  
                return conn, err  
            }  

            log.Print(s.Okdane)
            log.Print(s.Okpkix)

            return conn, nil  
        },  
    }  
    client := http.Client{Transport: t}  

    resp, err := client.Get("https://www.huque.com")  
    if err != nil {  
        log.Fatal(err)                                                                    
    }                                                                                     
    fmt.Println(resp)                                                                     
}

These two domains succeed on the DANE verification at https://www.huque.com/bin/danecheck.

shuque commented 2 years ago

Most likely the problem is that your system isn't using a DNS resolver that performs DNSSEC validation. The dane library currently requires the use of a DNSSEC validating resolver. So, you'll need to either make your system resolver do that, or configure the dane library to use another validating resolver (e.g. 8.8.8.8 or 1.1.1.1). The ConnectByNameAsync() function is a high level routine that uses system default parameters though and can't (currently) configure an alternate resolver. But you can use dane.NewResolver() to specify the use of another resolver for looking up the DANE TLSA records.