A Python script to conduct surveys of DNS TLSA records.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
dnssec_tlsa_zone_num.py
get_serv_cert.sh
requirements.txt
tlsa_survey.py
tlsa_survey.sh

README.md

This is a set of scripts written to conduct surveys of TLSA records in the DNS.

This code was initially written and developed by Liang Zhu of UCS/ISI and Duane Wessels of Verisign Labs.

Dependencies:

- Python
- sqlite3
- dnspython

Usage:

$ sh tlsa_survey.sh list-of-domains name-server

Where list-of-domains is a text file containing domains to be tested
for the presence of TLSA records and name-server is a resolver DNS server name or IP.

Operation:

For each input domain, the script issues queries for names most
likely to have associated TLSA records.  These include:

# https
_443._tcp.$domain
_443._tcp.www.$domain

# smtp if $domain has MX record
_25._tcp.mxname($domain)
_587._tcp.mxname($domain)
_465._tcp.mxname($domain)

# smtp without MX record
_25._tcp.$domain
_587._tcp.$domain
_465._tcp.$domain

# jabber/xmpp if $domain has SRV record
srvname(_xmpp-client._tcp.$domain)
srvname(_xmpp-server._tcp.$domain)

# jabber/xmpp without SRV record
_5222._tcp.jabber.$domain
_5269._tcp.jabber.$domain
_5222._tcp.xmpp.$domain
_5269._tcp.xmpp.$domain

Results of the survey are placed into an sqlite3 database.

Validation:

This code validates if the TLSA record matches the certificate
received from server based on the cert usage, selector and
matching type in TLSA records. (Usage 0 is not verified since it
may constrain the PKIX validation to a specific CA)

This code does not validate the certificate through PKIX
certificate chains, for example,
* no attempt is made to verify the integrity of the certificate chain
* no checks on hostname in the certificate
* no checks are made against any public CA
* no checks on certificate expiration

References:

The tlsa-survey tool (aka PryDane) is described in "Measuring DANE
TLSA Deployment" by Liang Zhu, Duane Wessels, Allison Mankin, and
John Heidemann, presented at the TMA 2015 workshop in Barcelona
(http://tma-2015.cba.upc.edu/tma15-program)