This is a set of scripts written to conduct surveys of TLSA records in the DNS.
This code was initially written and developed by Liang Zhu of UCS/ISI and Duane Wessels of Verisign Labs.
- Python - sqlite3 - dnspython
$ sh tlsa_survey.sh list-of-domains name-server Where list-of-domains is a text file containing domains to be tested for the presence of TLSA records and name-server is a resolver DNS server name or IP.
For each input domain, the script issues queries for names most likely to have associated TLSA records. These include: # https _443._tcp.$domain _443._tcp.www.$domain # smtp if $domain has MX record _25._tcp.mxname($domain) _587._tcp.mxname($domain) _465._tcp.mxname($domain) # smtp without MX record _25._tcp.$domain _587._tcp.$domain _465._tcp.$domain # jabber/xmpp if $domain has SRV record srvname(_xmpp-client._tcp.$domain) srvname(_xmpp-server._tcp.$domain) # jabber/xmpp without SRV record _5222._tcp.jabber.$domain _5269._tcp.jabber.$domain _5222._tcp.xmpp.$domain _5269._tcp.xmpp.$domain Results of the survey are placed into an sqlite3 database.
This code validates if the TLSA record matches the certificate received from server based on the cert usage, selector and matching type in TLSA records. (Usage 0 is not verified since it may constrain the PKIX validation to a specific CA) This code does not validate the certificate through PKIX certificate chains, for example, * no attempt is made to verify the integrity of the certificate chain * no checks on hostname in the certificate * no checks are made against any public CA * no checks on certificate expiration
The tlsa-survey tool (aka PryDane) is described in "Measuring DANE TLSA Deployment" by Liang Zhu, Duane Wessels, Allison Mankin, and John Heidemann, presented at the TMA 2015 workshop in Barcelona (http://tma-2015.cba.upc.edu/tma15-program)