tlsa

package module
v0.0.0-...-c3df871 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 30, 2020 License: GPL-2.0 Imports: 7 Imported by: 0

README

GoDoc Go Report Card Build Status

tlsa

Libraries and utilities to work with TLSA DNS RRs

This is a Go package that abstracts a few useful methods to Manage DNS TLSA record sets via TSIG-Authenticated Dynamic Updates.

import "github.com/nerdlem/tlsa"
   ⋮
// Read a set of TSIG keys (file with well-formed KEY DNS records)
m, err := tlsa.ReadTSIG(tsigKeyFile)
if err != nil {
	panic(fmt.Sprintf("Error processing TSIG key file: %s", err))
}
   ⋮
// Calculate the TLSA certificate signatures for a set of existing certificates
// or public key files
pinCerts := []string{"cert1.pem", "cert2.pem", "pubkey1.pem"}
crtSigns, err = tlsa.CertificateSignatures(pinCerts)
if err != nil {
 panic(err)
}
   ⋮
// Delete all TLSA records associated with names in the pinNames slice
tlsa.DeleteRRs(pinNames, m)
   ⋮
// Use a set of TSIG records m to pin certificates with signatures in crtSigns
// on all domains in pinNames
pinNames := []string{"domain1.example.com", "domain2.example.com"
tlsa.AddRR(pinNames, m, crtSigns)
   ⋮

Installation

To get the package and intall accompanying programs, simply follow these steps.

go get github.com/nerdlem/tlsa
go install github.com/nerdlem/tlsa/tlsafromcert

Using tlsafromcert to manage TLSA records

In order for tlsafromcert to work, you'll need your DNS zone to be configured to allow dynamic updates with TSIG authentication. On BIND you can add these commands to your zone definition:

   ⋮
// This is the TSIG key. This can also be found in a separate file. See dnssec-keygen(1) for
// information on generating this key file.
key "lemdotclick-ddns-update" {
  algorithm HMAC-SHA512;
  secret "secret-key-in-Base-64==";
};
   ⋮
// The actual declaration of your zone file. The important bits are that this is a master zone
// and the update-policy allows for dynamic updates.
zone "lem.click" {
  type master;
  file "path-to-your-zone-file";
  update-policy { grant lemdotclick-ddns-update zonesub ANY; };
   ⋮
};

dnssec-keygen also produces a key file. As in the case of the example above, the file would be Klemdotclick-ddns-update.+165+<nnnn>.key and it should contain a single KEY record. You'll need this file to complete TSIG authentication.

Invoking tlsafromcert

tlsafromcert needs access to your X.509 certificates or public keys; and the TSIG key file to authenticate the request. You'll also need to know the IP address where your authoritative name server is listening and of course, the DNS name of the services you intend to protect with TLSA.

To obtain the server certificate you can use a command such as this:

openssl s_client -showcerts -servername lem.click -connect lem.click:443 </dev/null 2>/dev/null \
    | openssl x509 -outform pem > lem-click.pem

Alternatively, you can capture the public key as follows:

openssl s_client -showcerts -servername lem.click -connect lem.click:443 </dev/null 2>/dev/null \
    | openssl x509 -pubkey -noout -outform pem > lem-click-key.pem

You can of course simply copy the right file from your server although pulling the cert from the actual web server or other service can be extremely helpful. You can easily check which DNS names are protected by this certificate as follows:

openssl x509 -in lem-click.pem -noout -text | grep DNS:
                DNS:blog.lem.click, DNS:lem.click

The following shows an example of tlsafromcert adding all the TLSA records for some names protected by the certificate:

$ tlsafromcert -ns ns1.lem.click:53 -names blog.lem.click,lem.click -pin-certs lem-click.pem -tsig-file my-tsig.key
$ dig +short tlsa lem.click @ns1.libertad.link
3 1 2 08AB3⋯C296C0D

In this case, a single certificate file was provided via the -pin-certs command line flag. Multiple certificates can be provided by separating the file names with a comma. In this case, multiple TLSA records would have been added to the DNS zone.

Clear all TLSA records

The --clear-all command line option instructs tlsafromcert to remove all TLSA records associated with a domain name. By skipping the -pin-certs option, no TLSA records are added, as in the following example:

$ tlsafromcert -ns ns1.lem.click:53 -names blog.lem.click,lem.click -tsig-file my-tsig.key -clear-all
$ dig +short tlsa lem.click @ns1.libertad.link
$

References

Documentation

Overview

Package tlsa provides a set of higher level functions to assist with managing TLSA records.

Index

Constants

This section is empty.

Variables

View Source 
var MatchingType = uint(3)

MatchingType contains TLSA MatchingType parameter, to be set. This value is of type uint

View Source 
var NameServer = "127.0.0.1:53"

NameServer is the Global Name Server to use for sending the updates.

View Source 
var Selector = uint(2)

Selector contains the TLSA Selector parameter, to be set. This value is of type uint

View Source 
var TSIGFUDGE = uint16(300)

TSIGFUDGE contains the fudge interval for TSIG signatures

View Source 
var UDPBUFSIZE = uint16(4096)

UDPBUFSIZE contains the UDP packet size advertised with EDNS(0). Defaults to 4096.

View Source 
var Usage = uint(1)

Usage contains the TLSA Usage parameter, to be set. This value is of type uint

Functions

func AddRR 

func AddRR(pinNames []string, keys []dns.KEY, crtSigns []string)

AddRR composes a DNS Dynamic Updte to add one or more TLSA RR. The process is meant to be additive, so that multiple records can be appended. The update request is sent via the TsigAndSend() helper.

func CertificateSignatures 

func CertificateSignatures(certFiles []string) ([]string, error)

CertificateSignatures precalculates the certificate signatures from the pinned certificates to use. These are suitable for setting up TLSA records without reading certs multiple times, as would be required by the underlying functions in the dns library.

func DeleteRRs 

func DeleteRRs(pinNames []string, keys []dns.KEY)

DeleteRRs composes a DNS Dynamic Update to delete all TLSA RRs. This can be used to wipe clean the namespace. Uses the TsigAndSend() helper to cause the update to be sent to the global Name Server for processing.

func GetCertificate 

func GetCertificate(certificateFile string) (*x509.Certificate, error)

GetCertificate reads a PEM encoded certificate file or public key.

When fed a PEM encoded certificate, the x509.Certificate object is returned. If fed a public key in PEM format, a pseudo x509.Certificate is returned, with only the public key field populated. This is enough to calculate the TLSA signature.

Suitable errors are returned when conditions aren't favorable.

func GetDomainNamesFromCertFile 

func GetDomainNamesFromCertFile(certificateFile string) ([]string, error)

GetDomainNamesFromCertFile returns the list of domain names in the CN or alternative sections of this certificate

func GetZone 

func GetZone(name string, ns string) (string, error)

GetZone finds the apex where the updated name is located at. A SOA DNS query is sent to the global Name Server -- expected to be the (possibly hidden) master server managing this zone's data.

func ReadTSIG 

func ReadTSIG(fileName string) ([]dns.KEY, error)

ReadTSIG Read and parse a Bind-formatted key file for use with TSIG.

func TsigAndSend 

func TsigAndSend(m *dns.Msg, keys []dns.KEY) error

TsigAndSend signs a composed DNS message (dns.Msg) and sends it using the global name server configured via NameServer.

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.