On Sat, Nov 8, 2014 at 6:07 PM, Melinda Shore <[email protected]> wrote:
> On 11/8/14 6:59 PM, Stephane Bortzmeyer wrote: > > I was not talking about DNSsec monitoring (I already use it, otherwise > > I would never have deployed DNSsec in production for serious domains) > > but about DANE monitoring: get the TLSA record, open a TLS connection, > > get the certificate, check that it is consistent with what the TLSA > > record announces. > > Shumon Huque wrote something using the getdns Python bindings that > may be close to what you're asking about: > > https://github.com/getdnsapi/getdns-python-bindings/blob/master/examples/checkdanecert.py > > Melinda > > There's a slightly newer version of that script in the develop branch: https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py Note that this script currently only does usage type 3, and it works for services that do SSL first (rather than negotiate STARTTLS). The Python M2Crypto SSL interface has some significant limitations. For example, it doesn't expose the function to set the TLS SNI extension, so on some multihomed servers, the server won't be able to figure out the correct certificate to present leading to the script failing the check. If there is a better python SSL module that folks would recommend, I'd glad to hear that. We have a more complete Python example that additionally does the PKIX-* mode checks (0 and 1), and we had slides on that example in our recent RIPE69 getdns tutorial (which we ran out of time to present during the session itself). I'll work on getting that example posted on the github site soon. --Shumon.
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
