Return-Path: X-Original-To: dane@ietfa.amsl.com Delivered-To: dane@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD53621F860B for ; Fri, 28 Sep 2012 12:06:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_38=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OVJpbgNWmBmc for ; Fri, 28 Sep 2012 12:06:33 -0700 (PDT) Received: from mail-qa0-f51.google.com (mail-qa0-f51.google.com [209.85.216.51]) by ietfa.amsl.com (Postfix) with ESMTP id 8C8E121F85DA for ; Fri, 28 Sep 2012 12:06:32 -0700 (PDT) Received: by qabj40 with SMTP id j40so141555qab.10 for ; Fri, 28 Sep 2012 12:06:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=dqIPHL763ITJ6tFC41XJCVLJyZVNMgMvkHfKaKYVXkU=; b=ADIdfi3mvV7JK6hGR1E6I5KpE4aRQHCx4HV5WdktT20hXN9yOolSHB3I563JgB/c1o MWb5GM9PTGH0TOjD/dAb+Q0y9HRLk1kqAvuHy5YA3DdP0L97V8vJUoHVoWqi/ihV+t9U +MPKPEXMrLW4WXt65UxKBj/eLkEamd1MGkTjXtLZ6Zkgm2fOCRBeblY0LzbKIcLn0Ohx dAqBYtgSPeoA6S5snbyYyyrqNECmYnR3Rz63i2THU7S6QEEO15CbuKbCGMYsNAeMmGfn RFZveu16iUK+ygHM/lqUyXI+4HRFM4jsEDvdlL8g5lTamq6KoT/pgfKJeGHIFGL+xoUw ll4Q== Received: by 10.229.135.18 with SMTP id l18mr5262105qct.19.1348859191804; Fri, 28 Sep 2012 12:06:31 -0700 (PDT) Received: from [172.20.12.152] (cpe-74-75-92-114.maine.res.rr.com. [74.75.92.114]) by mx.google.com with ESMTPS id d11sm13563371qaj.18.2012.09.28.12.06.30 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 28 Sep 2012 12:06:31 -0700 (PDT) Mime-Version: 1.0 (Apple Message framework v1257) Content-Type: multipart/alternative; boundary="Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70" From: Dan York In-Reply-To: Date: Fri, 28 Sep 2012 15:06:28 -0400 Message-Id: <9ED27365-3730-40FB-80F2-4EA579C2157A@danyork.org> References: <699F0F4D-3E06-44F5-88A4-40C1FC569E98@danyork.org> <50636FA2.6050403@os3.nl> To: Paul Wouters X-Mailer: Apple Mail (2.1257) X-Gm-Message-State: ALoCoQkCILDMphEYUJ8b/x8yR91ZSip1WnUQZrGxjNVKU/FwmIq22xAmphEBQvMkkl9DDsQLqx9Y Cc: dane WG list Subject: Re: [dane] Anyone interested in writing a DANE tutorial? X-BeenThere: dane@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: DNS-based Authentication of Named Entities List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Sep 2012 19:06:39 -0000 --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Paul On Sep 28, 2012, at 1:55 PM, Paul Wouters wrote: > [paul@bofh ~]$ python > Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 20120507 (Red = Hat 4.7.0-5)] on linux2 > Type "help", "copyright", "credits" or "license" for more information. >>>> import dns.resolver >>>> answers =3D dns.resolver.query('_443.import dns.resolver', 'TLSA') Excellent! Worked beautifully with: import dns.resolver answers=3D dns.resolver.query('_443._tcp.www.torproject.org','TLSA') for rdata in answers: print rdata I can see the TLSA record.=20 So now I have the record... assuming I used dnspython as part of a = larger application I would now be able to compare the record to the TLS = certificate I get from a website. Any code in here to help with the = comparison? Or is that something I would need to do in my code? (i.e. = write a function to do a hash on the TLS certificate and compare that to = the TLSA record) > Hope this helps, It does. > Note that Pieter's TLSA patch in dnspython has been pushed into = Fedora/RHEL a > few days ago. It's available in updates-testing and should be = available > as a released update in a week or so. Great! Thanks, Dan --=20 Dan York dyork@lodestar2.com http://www.danyork.me/ skype:danyork Phone: +1-802-735-1624 Twitter - http://twitter.com/danyork --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii
[paul@bofh ~]$ = python
Python 2.7.3 (default, Jul 24 2012, 10:05:38) [GCC 4.7.0 = 20120507 (Red Hat 4.7.0-5)] on linux2
Type "help", "copyright", = "credits" or "license" for more information.
import = dns.resolver
answers = =3D dns.resolver.query('_443.import dns.resolver', = 'TLSA')

=
Excellent!  Worked beautifully = with:

   import = dns.resolver
   answers=3D = dns.resolver.query('_443._tcp.www.torproject.org','TLSA')
 =  for rdata in answers:
       print = rdata

I can see the TLSA = record. 

So now I have the record... = assuming I used dnspython as part of a larger application I would now be = able to compare the record to the TLS certificate I get from a website. =  Any code in here to help with the comparison?  Or is that = something I would need to do in my code?  (i.e. write a function to = do a hash on the TLS certificate and compare that to the TLSA = record)

Hope this = helps,

It = does.

Note that Pieter's = TLSA patch in dnspython has been pushed into Fedora/RHEL a
few days = ago. It's available in updates-testing and should be available
as a = released update in a week or = so.

Great!

T= hanks,
Dan

-- 
Dan York  dyork@lodestar2.com
http://www.danyork.me/  &nb= sp;skype:danyork
Phone: = +1-802-735-1624
Twitter - http://twitter.com/danyork

= --Apple-Mail=_49A48A22-03FE-457B-BBAC-5323D983AA70--