dane_query_to_raw_tlsa - Linux
Overview
dane_query_to_raw_tlsa extracts raw Transport Layer Security Association (TLSA) records from a Domain Name System (DNS) response using DNS-based Authentication of Named Entities (DANE). It is a tool for verifying the authenticity of certificates used in TLS connections.
Syntax
dane_query_to_raw_tlsa [-h] [-v] [-s] [-t] [-q] [-e] [-E] [-f FILE]
[-d DOMAIN] [-p PORT] [-n NAME] [-i IP] [-c CLASS] [-T TYPE] [-H]
Options/Flags
-h, --help
: Show this help message and exit-v, --verbose
: Enable verbose output-s, --show-queries
: Print DNS queries and responses-t, --truncate-dns
: Truncate DNS responses to remove trailing data-q, --quick-mode
: Skip SOA and TXT record validation-e, --exact-name
: Perform strict name matching-E, --exact-ip
: Perform strict IP address matching-f FILE, --output-file FILE
: Save raw TLSA records to a file-d DOMAIN, --domain DOMAIN
: Query a specific domain, defaults todns.example.com
-p PORT, --port PORT
: Use a custom DNS port, defaults to 53-n NAME, --name NAME
: Query a specific name, defaults to_acme-tlsa
-i IP, --ip-address IP
: Use a custom DNS server IP address-c CLASS, --class CLASS
: DNS record class, defaults toIN
-T TYPE, --type TYPE
: DNS record type, defaults toTLSA
-H, --header
: Include the DNS header in the output
Examples
Simple Query:
$ dane_query_to_raw_tlsa
Raw TLSA record:
tlsa.dns.example.com. 3600 IN TLSA 3 1 1 57CA7898629395F85AF14072E1570D4D9724205C957A4F85D736497021411EE2859140A153B05499B500215B891E0B89256A4420E6893F18A9A1C85F8C6167CA8
Save Output to File:
$ dane_query_to_raw_tlsa -f output.txt
Parse TLSA Record:
$ dane_query_to_raw_tlsa | openssl x509 -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
10:16:8:0:0:8:221:169:178:130:146:12:15:148:145:220:10
8:79:158:106
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Mountain View, O=Google Inc, CN=Google Internet Authority
Validity
Not Before: Jan 1 00:00:00 2018 GMT
Not After : Dec 31 23:59:59 2018 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus:
00:c5:5d:99:3c:8a:7e:69:05:a3:5c:51:0b:f0:e3:
2b:6d:ca:28:10:f8:73:b2:ca:9a:e6:85:76:9d:38:
8c:d1:63:c7:39:02:a2:a6:4c:fa:fc:68:8d:89:2c:
e9:d2:e3:6f:71:37:fb:73:b0:50:f8:4f:d0:34:9c:
55:5a:53:6d:b9:fa:5c:29:dd:5a:1d:57:d1:8f:31:
6e:23:37:1b:6b:49:a8:b2:3b:0f:56:6a:90:90:6e:
e8:cc:76:74:f1:0f:27:b2:8b:4e:65:23:8e:fb:96:
42:dc:5a:82:dd:c4:a5:de:96:1d:46:cb:e9:9b:6c:
2f:3b:55:8f:a4:a3:3a:c4:47:79:5f:11:78:ac:20:
18:0f:21:f2:6f:92:f2:ff:96:6b:66:1e:19:09:80:
b0:71:37:59:02:34:5a:55:04:65:63:94:6e:3c:18:
50:b5:39:87:cc:3c:5c:d4:4c:9d:29:f5:68:34:eb:
31:3e:5f:95:ec:36:fa:49:18:43:1f:c4:39:36:fd:
15:20:ef:45:13:36:55:b1:f3:91:d2:01:1f:2f:33:
15:d2:63:4f:ae:9a:77:1f:77:09:65:0a:02:43:1f:
d7:2d:e3:cb:e4:a9:4c:88:39:68:97:3f:21:de:91:
d5:55:f0:ff:c6:1d:b5:84:c6:f6:5d:26:48:85:82:
54:5c:fc:17:03:c9:47:df:1d:65:3b:d7:cb:cb:4f:
4b
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
09:a6:65:46:d0:10:8c:9f:56:43:4b:3f:9d:5c:64:80:00:c2:
ee:e6:05:06:a4:ea:95:c2:a7:93:3e:41:a4:3f:d2:6d:0a:eb:
8b:28:34:5a:73:43:09:23:35:1c:c3:d0:ce:09:7a:17:84:b9:
37:0f:7b:d9:d6:5d:10:46:49:f9:51:82:9e:4d:02:64:8a:d0:
8e:62:f6:06:1f:39:f1:c3:9a:fb:b3:c3:83:c2:61:54:77:e2:
2b:89:17:b4:46