Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Shumon Huque <> Mon, 10 November 2014 18:02 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 16C081A1AE2 for <>; Mon, 10 Nov 2014 10:02:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 07QFRHl4ZC9t for <>; Mon, 10 Nov 2014 10:02:39 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 065D51A03F9 for <>; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
Received: by with SMTP id hn18so17024120igb.7 for <>; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=SAnZdGJM/eyNkU+Ti1Qio+xHHseR62uB8Cu4heBPZp4=; b=eks19V+UD/9E0U9zdQgSWRktthbwV0gMQ/dg15Wlg6XJBFjR4gKMXRsYJ87jcWjJHD m1DQc1Ch/ch88ot0etjahzbSyaf+lDw8CT5XPXbiOXGW1dsJAE4zCeqhdp31JOuPjQ6y 5gbG4zzA4RRL2kxAuJhmky9fXvyetsAxnMU8Jjo/qaayS7vpzUyNUmA2mYN4jEZtJ2iX bJOByhYuhWxp2hloGBj0kMZ0bV8HBHEJiyyrRMIwriva6+k6yRKeOu8xji6Y4pFJf8sZ cwG5mvn8xIrN9zhTzoNs0OORwFSwI+rtxm+m6NgqZ3FPR4TXcI1rSw6d+B+M0zlqcxWW GIMw==
MIME-Version: 1.0
X-Received: by with SMTP id e35mr35963773ioi.45.1415642558151; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
Received: by with HTTP; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Mon, 10 Nov 2014 08:02:38 -1000
Message-ID: <>
From: Shumon Huque <>
To: Melinda Shore <>
Content-Type: multipart/alternative; boundary="001a113ecf7ccedd18050784f796"
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 Nov 2014 18:02:41 -0000

On Sat, Nov 8, 2014 at 6:07 PM, Melinda Shore <>

> On 11/8/14 6:59 PM, Stephane Bortzmeyer wrote:
> > I was not talking about DNSsec monitoring (I already use it, otherwise
> > I would never have deployed DNSsec in production for serious domains)
> > but about DANE monitoring: get the TLSA record, open a TLS connection,
> > get the certificate, check that it is consistent with what the TLSA
> > record announces.
> Shumon Huque wrote something using the getdns Python bindings that
> may be close to what you're asking about:
> Melinda
There's a slightly newer version of that script in the develop branch:

Note that this script currently only does usage type 3, and it works for
services that do SSL first (rather than negotiate STARTTLS). The Python
M2Crypto SSL interface has some significant limitations. For example, it
doesn't expose the function to set the TLS SNI extension, so on some
multihomed servers, the server won't be able to figure out the correct
certificate to present leading to the script failing the check. If there is
a better python SSL module that folks would recommend, I'd glad to hear

We have a more complete Python example that additionally does the PKIX-*
mode checks (0 and 1), and we had slides on that example in our recent
RIPE69 getdns tutorial (which we ran out of time to present during the
session itself). I'll work on getting that example posted on the github
site soon.