Great Dane – a multi-cert capable bulk downloading DANE-EE TLSA RR generator

Great Dane 0.2.1 at work.

About

Great Dane generates DANE-EE TLSA resource records to be published in DNSSEC-enabled DNS zones, from certificates directly downloaded via TLS services.

The software is multi-cert and multi-home capable, so it will not just download the first certificate supplied, but will actively download EC as well as RSA and DSA certificates from all IP addresses a hostname is associated with, extract the public keys and generate separate RRs for them.

It can work in bulk by scanning multiple hostnames and/or TCP ports at once. STARTTLS is available for any service supported by OpenSSL.

Examples

$ greatdane mail.example.org 25,110,143,465,587,993,995,4190

Generate DANE-EE RRs for the SMTP, POP3, IMAP, SMTPS, Submission, IMAPS, POP3S and Sieve services on host mail.example.org.

$ greatdane "example.org www.example.org example.com www.example.com" 443

Generate DANE-EE RRs for the HTTPS service on hosts example.org, www.example.org, example.com and www.example.com.

$ greatdane mx.example.net "25 2525" smtp

Generate DANE-EE RRs for the services on ports 25 and 2525 on host mx.example.net using STARTTLS mode smtp.

Known issues

  • Great Dane requires all hostnames to be lower case, need to add ${str,,}.
  • Currently only one connection per hostname is established, even if the hostname resolves to multiple IP addresses, which could theoretically host different certificates issued to different public keys. Resolved: Supported since version 0.3. Of course, to scan both IPv4 and IPv6 services, Great Dane needs to be executed on a system with dual-stacked or fully address family-mapped network/Internet access.
  • Support for RSASSA-PSS and DSA certificates is currently untested due to a lack of access to services featuring such certificates. Do you operate a service using a RSASSA-PSS or DSA certificate? Please let me know.
  • Does not work for TLSv1.3-only services. Resolved: Supported since version 0.2.

Building the RPM

$ rpmbuild -tb greatdane-<version>.tar.gz

To build an RPM from the source tarball, use rpmbuild -tb from the rpm-build package.

License

Great Dane is free software under the terms of the MIT License.

Changes

Version 0.2.1 -> 0.3

  • Now scanning all IP addresses (IPv4 and IPv6) associated with a hostname for certificates/public keys.
  • Fixed typo and description.

Version 0.2 -> 0.2.1

  • Optimized output.
  • Added progress display.
  • Fixed typos.

Version 0.1 -> 0.2

  • Now works with services offering TLS v1.3 only.
  • Added support for DSA certificates.
  • Relicensed (MIT).
  • Added RPM specfile allowing to build RPM directly from tarball.
  • Added description.
  • Fixed typos.

Downloads

Current release

Older releases