dane_query_to_raw_tlsa - Linux

Overview

dane_query_to_raw_tlsa extracts raw Transport Layer Security Association (TLSA) records from a Domain Name System (DNS) response using DNS-based Authentication of Named Entities (DANE). It is a tool for verifying the authenticity of certificates used in TLS connections.

Syntax

dane_query_to_raw_tlsa [-h] [-v] [-s] [-t] [-q] [-e] [-E] [-f FILE]
[-d DOMAIN] [-p PORT] [-n NAME] [-i IP] [-c CLASS] [-T TYPE] [-H]

Options/Flags

  • -h, --help: Show this help message and exit
  • -v, --verbose: Enable verbose output
  • -s, --show-queries: Print DNS queries and responses
  • -t, --truncate-dns: Truncate DNS responses to remove trailing data
  • -q, --quick-mode: Skip SOA and TXT record validation
  • -e, --exact-name: Perform strict name matching
  • -E, --exact-ip: Perform strict IP address matching
  • -f FILE, --output-file FILE: Save raw TLSA records to a file
  • -d DOMAIN, --domain DOMAIN: Query a specific domain, defaults to dns.example.com
  • -p PORT, --port PORT: Use a custom DNS port, defaults to 53
  • -n NAME, --name NAME: Query a specific name, defaults to _acme-tlsa
  • -i IP, --ip-address IP: Use a custom DNS server IP address
  • -c CLASS, --class CLASS: DNS record class, defaults to IN
  • -T TYPE, --type TYPE: DNS record type, defaults to TLSA
  • -H, --header: Include the DNS header in the output

Examples

Simple Query:

$ dane_query_to_raw_tlsa
Raw TLSA record:
tlsa.dns.example.com. 3600 IN TLSA 3 1 1 57CA7898629395F85AF14072E1570D4D9724205C957A4F85D736497021411EE2859140A153B05499B500215B891E0B89256A4420E6893F18A9A1C85F8C6167CA8

Save Output to File:

$ dane_query_to_raw_tlsa -f output.txt

Parse TLSA Record:

$ dane_query_to_raw_tlsa | openssl x509 -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:16:8:0:0:8:221:169:178:130:146:12:15:148:145:220:10
            8:79:158:106
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, ST=California, L=Mountain View, O=Google Inc, CN=Google Internet Authority
    Validity
        Not Before: Jan  1 00:00:00 2018 GMT
        Not After : Dec 31 23:59:59 2018 GMT
    Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=example.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
        RSA Public Key: (2048 bit)
            Modulus:
                00:c5:5d:99:3c:8a:7e:69:05:a3:5c:51:0b:f0:e3:
                2b:6d:ca:28:10:f8:73:b2:ca:9a:e6:85:76:9d:38:
                8c:d1:63:c7:39:02:a2:a6:4c:fa:fc:68:8d:89:2c:
                e9:d2:e3:6f:71:37:fb:73:b0:50:f8:4f:d0:34:9c:
                55:5a:53:6d:b9:fa:5c:29:dd:5a:1d:57:d1:8f:31:
                6e:23:37:1b:6b:49:a8:b2:3b:0f:56:6a:90:90:6e:
                e8:cc:76:74:f1:0f:27:b2:8b:4e:65:23:8e:fb:96:
                42:dc:5a:82:dd:c4:a5:de:96:1d:46:cb:e9:9b:6c:
                2f:3b:55:8f:a4:a3:3a:c4:47:79:5f:11:78:ac:20:
                18:0f:21:f2:6f:92:f2:ff:96:6b:66:1e:19:09:80:
                b0:71:37:59:02:34:5a:55:04:65:63:94:6e:3c:18:
                50:b5:39:87:cc:3c:5c:d4:4c:9d:29:f5:68:34:eb:
                31:3e:5f:95:ec:36:fa:49:18:43:1f:c4:39:36:fd:
                15:20:ef:45:13:36:55:b1:f3:91:d2:01:1f:2f:33:
                15:d2:63:4f:ae:9a:77:1f:77:09:65:0a:02:43:1f:
                d7:2d:e3:cb:e4:a9:4c:88:39:68:97:3f:21:de:91:
                d5:55:f0:ff:c6:1d:b5:84:c6:f6:5d:26:48:85:82:
                54:5c:fc:17:03:c9:47:df:1d:65:3b:d7:cb:cb:4f:
                4b
            Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
        09:a6:65:46:d0:10:8c:9f:56:43:4b:3f:9d:5c:64:80:00:c2:
        ee:e6:05:06:a4:ea:95:c2:a7:93:3e:41:a4:3f:d2:6d:0a:eb:
        8b:28:34:5a:73:43:09:23:35:1c:c3:d0:ce:09:7a:17:84:b9:
        37:0f:7b:d9:d6:5d:10:46:49:f9:51:82:9e:4d:02:64:8a:d0:
        8e:62:f6:06:1f:39:f1:c3:9a:fb:b3:c3:83:c2:61:54:77:e2:
        2b:89:17:b4:46