Skip to content
A tool to create and verify TLSA (DANE) records
Latest commit c410f03 Mar 30, 2015 @pieterlexis Merge pull request #17 from oskar456/starttls
StartTLS support for imap, pop and smtp
Failed to load latest commit information.
contrib A patch for M2Crypto to support SNI. Dec 1, 2012
.gitignore Add a .gitignore file Jan 31, 2012
README Update README Nov 26, 2014
root.key Import from initial devel-repo Jan 24, 2012
swede Add StartTLS support for SMTP, IMAP and POP3 Mar 28, 2015


                         SWEDE - a tool to create and verify TLSA (DANE) records
Swede aims to provide a one-stop solutions to create and test TLSA records.

Swede is created as a proof of concept tool (and should be treated as such).

swede is copyright Pieter Lexis <> and is licensed under the
terms of the GNU General Public Licence version 2 or higher.

- Python (>= 2.6)
- python-{unbound, argparse, ipaddr, m2crypto}

swede has been tested on Debian 6 (Squeeze) using the python-unbound package
from squeeze-backports.

- Creation of all 24 permutations of TLSA records
- Output in generic and RFC format
- Ability to load certificates from disk to create records from
- Verify TLSA records 'in the field' with the certificates offered by the TLS
  service running on the server

See EXAMPLES below and try the following:
swede --help
swede create --help
swede verify --help

swede create --usage 1 --output rfc
swede --insecure create --usage 0

swede verify -p 1516
swede verify
- Create and verify should check the CN in the Subject of the certificate
- The verification for usage 2 is _VERY_ naive
- Creation tool that does an AXFR for a full zone, collects all hostnames, gets
  the certificates (or the CA certificate from the commandline) and creates all
  TLSA records.
- Test certificates (other than using the functions in M2Crypto) when no chain
  is presented during the TLS session
- Manpage

                                                                      KNOWN BUGS
- swede is mostly untested.
- Not everything that can raise an exception is in a try/except block
- No support for SRV record indirection (see Issue 28 of the DANE-WG)
- No support for TLS/SSL over UDP or SCTP
- No support for STARTTLS type protocols (only 'straight' SSL/TLS conections)
- Important certificate validation bugs are mentioned in the issue tracker:
Something went wrong with that request. Please try again.