Re: [dane] Anyone interested in writing a DANE tutorial?

Dan York <dan-ietf@danyork.org> Fri, 28 September 2012 19:06 UTC

Return-Path: <dan-ietf@danyork.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD53621F860B for <dane@ietfa.amsl.com>; Fri, 28 Sep 2012 12:06:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVJpbgNWmBmc for <dane@ietfa.amsl.com>; Fri, 28 Sep 2012 12:06:33 -0700 (PDT)
Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8E121F85DA for <dane@ietf.org>; Fri, 28 Sep 2012 12:06:32 -0700 (PDT)
Received: by qabj40 with SMTP id j40so141555qab.10 for <dane@ietf.org>; Fri, 28 Sep 2012 12:06:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dqIPHL763ITJ6tFC41XJCVLJyZVNMgMvkHfKaKYVXkU=; b=ADIdfi3mvV7JK6hGR1E6I5KpE4aRQHCx4HV5WdktT20hXN9yOolSHB3I563JgB/c1o MWb5GM9PTGH0TOjD/dAb+Q0y9HRLk1kqAvuHy5YA3DdP0L97V8vJUoHVoWqi/ihV+t9U +MPKPEXMrLW4WXt65UxKBj/eLkEamd1MGkTjXtLZ6Zkgm2fOCRBeblY0LzbKIcLn0Ohx dAqBYtgSPeoA6S5snbyYyyrqNECmYnR3Rz63i2THU7S6QEEO15CbuKbCGMYsNAeMmGfn RFZveu16iUK+ygHM/lqUyXI+4HRFM4jsEDvdlL8g5lTamq6KoT/pgfKJeGHIFGL+xoUw ll4Q==
Received: by 10.229.135.18 with SMTP id l18mr5262105qct.19.1348859191804; Fri, 28 Sep 2012 12:06:31 -0700 (PDT)
Received: from [172.20.12.152] (cpe-74-75-92-114.maine.res.rr.com. [74.75.92.114]) by mx.google.com with ESMTPS id d11sm13563371qaj.18.2012.09.28.12.06.30 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 12:06:31 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/alternative; boundary="Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70"
From: Dan York <dan-ietf@danyork.org>
In-Reply-To: <alpine.LFD.2.02.1209281348070.24512@bofh.nohats.ca>
Date: Fri, 28 Sep 2012 15:06:28 -0400
Message-Id: <9ED27365-3730-40FB-80F2-4EA579C2157A@danyork.org>
References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> <50636FA2.6050403@os3.nl> <D57DD9FF-536B-4808-9365-F30ABDF85D3D@danyork.org> <alpine.LFD.2.02.1209281348070.24512@bofh.nohats.ca>
To: Paul Wouters <paul@cypherpunks.ca>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkCILDMphEYUJ8b/x8yR91ZSip1WnUQZrGxjNVKU/FwmIq22xAmphEBQvMkkl9DDsQLqx9Y
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] Anyone interested in writing a DANE tutorial?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Sep 2012 19:06:39 -0000

Paul

On Sep 28, 2012, at 1:55 PM, Paul Wouters wrote:

> [paul@bofh ~]$ python
> Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red Hat 4.7.0-5)] on linux2
> Type "help", "copyright", "credits" or "license" for more information.
>>>> import dns.resolver
>>>> answers = dns.resolver.query('_443.import dns.resolver', 'TLSA')

Excellent!  Worked beautifully with:

   import dns.resolver
   answers= dns.resolver.query('_443._tcp.www.torproject.org','TLSA')
   for rdata in answers:
       print rdata

I can see the TLSA record. 

So now I have the record... assuming I used dnspython as part of a larger application I would now be able to compare the record to the TLS certificate I get from a website.  Any code in here to help with the comparison?  Or is that something I would need to do in my code?  (i.e. write a function to do a hash on the TLS certificate and compare that to the TLSA record)

> Hope this helps,

It does.

> Note that Pieter's TLSA patch in dnspython has been pushed into Fedora/RHEL a
> few days ago. It's available in updates-testing and should be available
> as a released update in a week or so.

Great!

Thanks,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/   skype:danyork
Phone: +1-802-735-1624
Twitter - http://twitter.com/danyork