This is a set of scripts written to conduct surveys of TLSA records in the DNS.
This code was initially written and developed by Liang Zhu of UCS/ISI and Duane Wessels of Verisign Labs.
Dependencies:
- Python
- sqlite3
- dnspython
Usage:
$ sh tlsa_survey.sh list-of-domains name-server
Where list-of-domains is a text file containing domains to be tested
for the presence of TLSA records and name-server is a resolver DNS server name or IP.
Operation:
For each input domain, the script issues queries for names most
likely to have associated TLSA records. These include:
# https
_443._tcp.$domain
_443._tcp.www.$domain
# smtp if $domain has MX record
_25._tcp.mxname($domain)
_587._tcp.mxname($domain)
_465._tcp.mxname($domain)
# smtp without MX record
_25._tcp.$domain
_587._tcp.$domain
_465._tcp.$domain
# jabber/xmpp if $domain has SRV record
srvname(_xmpp-client._tcp.$domain)
srvname(_xmpp-server._tcp.$domain)
# jabber/xmpp without SRV record
_5222._tcp.jabber.$domain
_5269._tcp.jabber.$domain
_5222._tcp.xmpp.$domain
_5269._tcp.xmpp.$domain
Results of the survey are placed into an sqlite3 database.
Validation:
This code validates if the TLSA record matches the certificate
received from server based on the cert usage, selector and
matching type in TLSA records. (Usage 0 is not verified since it
may constrain the PKIX validation to a specific CA)
This code does not validate the certificate through PKIX
certificate chains, for example,
* no attempt is made to verify the integrity of the certificate chain
* no checks on hostname in the certificate
* no checks are made against any public CA
* no checks on certificate expiration
References:
The tlsa-survey tool (aka PryDane) is described in "Measuring DANE
TLSA Deployment" by Liang Zhu, Duane Wessels, Allison Mankin, and
John Heidemann, presented at the TMA 2015 workshop in Barcelona
(http://tma-2015.cba.upc.edu/tma15-program)