Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Shumon Huque <shuque@gmail.com> Mon, 10 November 2014 18:02 UTC

Return-Path: <shuque@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16C081A1AE2 for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 10:02:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07QFRHl4ZC9t for <dane@ietfa.amsl.com>; Mon, 10 Nov 2014 10:02:39 -0800 (PST)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 065D51A03F9 for <dane@ietf.org>; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
Received: by mail-ig0-f174.google.com with SMTP id hn18so17024120igb.7 for <dane@ietf.org>; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=SAnZdGJM/eyNkU+Ti1Qio+xHHseR62uB8Cu4heBPZp4=; b=eks19V+UD/9E0U9zdQgSWRktthbwV0gMQ/dg15Wlg6XJBFjR4gKMXRsYJ87jcWjJHD m1DQc1Ch/ch88ot0etjahzbSyaf+lDw8CT5XPXbiOXGW1dsJAE4zCeqhdp31JOuPjQ6y 5gbG4zzA4RRL2kxAuJhmky9fXvyetsAxnMU8Jjo/qaayS7vpzUyNUmA2mYN4jEZtJ2iX bJOByhYuhWxp2hloGBj0kMZ0bV8HBHEJiyyrRMIwriva6+k6yRKeOu8xji6Y4pFJf8sZ cwG5mvn8xIrN9zhTzoNs0OORwFSwI+rtxm+m6NgqZ3FPR4TXcI1rSw6d+B+M0zlqcxWW GIMw==
MIME-Version: 1.0
X-Received: by 10.107.3.163 with SMTP id e35mr35963773ioi.45.1415642558151; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
Received: by 10.64.225.197 with HTTP; Mon, 10 Nov 2014 10:02:38 -0800 (PST)
In-Reply-To: <545EE86E.9050007@gmail.com>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org> <545EE86E.9050007@gmail.com>
Date: Mon, 10 Nov 2014 08:02:38 -1000
Message-ID: <CAHPuVdUzMkCKL9hcXE7eQ2NXVAFO=SAHHsqgy7xXSotsd5bdCA@mail.gmail.com>
From: Shumon Huque <shuque@gmail.com>
To: Melinda Shore <melinda.shore@gmail.com>
Content-Type: multipart/alternative; boundary=001a113ecf7ccedd18050784f796
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/qyyZlROAvki1UAPvJT3SBR0tXlQ
Cc: dane@ietf.org
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: shuque@gmail.com
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 18:02:41 -0000

On Sat, Nov 8, 2014 at 6:07 PM, Melinda Shore <melinda.shore@gmail.com>
wrote:

> On 11/8/14 6:59 PM, Stephane Bortzmeyer wrote:
> > I was not talking about DNSsec monitoring (I already use it, otherwise
> > I would never have deployed DNSsec in production for serious domains)
> > but about DANE monitoring: get the TLSA record, open a TLS connection,
> > get the certificate, check that it is consistent with what the TLSA
> > record announces.
>
> Shumon Huque wrote something using the getdns Python bindings that
> may be close to what you're asking about:
>
> https://github.com/getdnsapi/getdns-python-bindings/blob/master/examples/checkdanecert.py
>
> Melinda
>
>
There's a slightly newer version of that script in the develop branch:

https://github.com/getdnsapi/getdns-python-bindings/blob/develop/examples/checkdanecert.py

Note that this script currently only does usage type 3, and it works for
services that do SSL first (rather than negotiate STARTTLS). The Python
M2Crypto SSL interface has some significant limitations. For example, it
doesn't expose the function to set the TLS SNI extension, so on some
multihomed servers, the server won't be able to figure out the correct
certificate to present leading to the script failing the check. If there is
a better python SSL module that folks would recommend, I'd glad to hear
that.

We have a more complete Python example that additionally does the PKIX-*
mode checks (0 and 1), and we had slides on that example in our recent
RIPE69 getdns tutorial (which we ran out of time to present during the
session itself). I'll work on getting that example posted on the github
site soon.

--Shumon.