dane_query_tlsa - Linux

Overview

dane_query_tlsa is a command-line tool that queries Domain Name System (DNS) for Transport Layer Security (TLS) Authentication (TLSA) records. TLSA records provide a way to verify the identity of a TLS server by comparing the certificate presented by the server to the TLSA record published by the domain name owner.

Syntax

dane_query_tlsa [options] hostname [hostname2 ...]

Options/Flags

  • -4 or -6: Query for IPv4 or IPv6 records respectively (default: both)
  • -t servicename: Query for a specific TLSA service (default: tls)
  • -m mechanism: Query for a specific TLSA mechanism (default: all)
  • -s selector: Query for a specific TLSA selector (default: 0)
  • -v: Verbose output

Examples

Simple usage:

dane_query_tlsa google.com

Query for IPv6 AAAA records:

dane_query_tlsa -6 google.com

Query for a specific service and mechanism:

dane_query_tlsa -t mail -m sha256 google.com

Common Issues

  • No TLSA records found: The domain name may not have published TLSA records.
  • Multiple TLSA records found: The server may support multiple certificates.
  • Certificate does not match TLSA record: The server may be using a certificate that is not authorized by the TLSA record.

Integration

dane_query_tlsa can be used in scripts to automate TLS certificate verification. For example, the following script checks if a certificate is authorized by a TLSA record:

#!/bin/bash

hostname=$1

# Query for TLSA records
tlsa_records=`dane_query_tlsa "$hostname"`

# Extract certificate fingerprints from the records
fingerprints=`echo "$tlsa_records" | awk '{print $2}'`

# Check if the certificate is authorized by any of the TLSA records
certificate_fingerprint=`openssl x509 -in cert.pem -fingerprint -noout | cut -d= -f2`
if [[ "$fingerprints" =~ "$certificate_fingerprint" ]]; then
  echo "Certificate is authorized by a TLSA record"
else
  echo "Certificate is not authorized by a TLSA record"
fi

Related Commands

  • dig: A general purpose DNS query tool
  • openssl: A command-line tool for handling TLS certificates
  • tlsa: A command-line tool for managing TLSA records

Refer to your system’s documentation or specific package manager for detailed information regarding tool availability and installation, as these commands may have varying levels of support and availability across different platforms.