Great Dane – a multi-cert capable bulk downloading DANE-EE TLSA RR generator

About

Great Dane generates DANE-EE TLSA resource records to be published in DNSSEC-enabled DNS zones, from certificates directly downloaded via TLS services.

The software is multi-cert and multi-home capable, so it will not just download the first certificate supplied, but will actively download EC as well as RSA and DSA certificates from all IP addresses a hostname is associated with, extract the public keys and generate separate RRs for them.

It can work in bulk by scanning multiple hostnames and/or TCP ports at once. STARTTLS is available for any service supported by OpenSSL.

Examples

$ greatdane mail.example.org 25,110,143,465,587,993,995,4190

Generate DANE-EE RRs for the SMTP, POP3, IMAP, SMTPS, Submission, IMAPS, POP3S and Sieve services on host mail.example.org.

$ greatdane "example.org www.example.org example.com www.example.com" 443

Generate DANE-EE RRs for the HTTPS service on hosts example.org, www.example.org, example.com and www.example.com.

$ greatdane mx.example.net "25 2525" smtp

Generate DANE-EE RRs for the services on ports 25 and 2525 on host mx.example.net using STARTTLS mode smtp.

Known issues

Great Dane requires all hostnames to be lower case, need to add ${str,,}.
Currently only one connection per hostname is established, even if the hostname resolves to multiple IP addresses, which could theoretically host different certificates issued to different public keys. Resolved: Supported since version 0.3. Of course, to scan both IPv4 and IPv6 services, Great Dane needs to be executed on a system with dual-stacked or fully address family-mapped network/Internet access.
Support for ~~RSASSA-PSS and~~ DSA certificates is currently untested due to a lack of access to services featuring such certificates. Do you operate a service using a ~~RSASSA-PSS or~~ DSA certificate? Please let me know.
~~Does not work for TLSv1.3-only services.~~ Resolved: Supported since version 0.2.

Building the RPM

$ rpmbuild -tb greatdane-<version>.tar.gz

To build an RPM from the source tarball, use rpmbuild -tb from the rpm-build package.

License

Great Dane is free software under the terms of the MIT License.

Changes

Version 0.2.1 -> 0.3

Now scanning all IP addresses (IPv4 and IPv6) associated with a hostname for certificates/public keys.
Fixed typo and description.

Version 0.2 -> 0.2.1

Optimized output.
Added progress display.
Fixed typos.

Version 0.1 -> 0.2

Now works with services offering TLS v1.3 only.
Added support for DSA certificates.
Relicensed (MIT).
Added RPM specfile allowing to build RPM directly from tarball.
Added description.
Fixed typos.

Downloads

Current release

Great Dane 0.3 (2024-05-11)

Source tarball

greatdane-0.3.tar.gz

4 KB

Great Dane 0.3 (2024-05-11)

RPM

greatdane-0.3-1.noarch.rpm

11 KB

Older releases

Great Dane 0.2.1 (2024-05-09)

Source tarball

greatdane-0.2.1.tar.gz

4 KB

Great Dane 0.2.1 (2024-05-09)

RPM

greatdane-0.2.1-1.noarch.rpm

11 KB

Great Dane 0.2 (2024-05-08)

Source tarball

greatdane-0.2.tar.gz

3 KB

Great Dane 0.2 (2024-05-08)

RPM

greatdane-0.2-1.noarch.rpm

11 KB

Great Dane 0.1 (2023-10-30)

Source tarball

greatdane-0.1.tar.gz

2 KB