{"id":13681578,"url":"https://github.com/buffrr/letsdane","last_synced_at":"2026-02-03T19:35:56.725Z","repository":{"id":40308761,"uuid":"254179844","full_name":"buffrr/letsdane","owner":"buffrr","description":"🔒 Let's DANE is an experimental way to enable the use of DANE/TLSA in browsers and other apps using a lightweight proxy.","archived":false,"fork":false,"pushed_at":"2024-02-25T05:14:16.000Z","size":706,"stargazers_count":119,"open_issues_count":11,"forks_count":14,"subscribers_count":9,"default_branch":"master","last_synced_at":"2025-10-11T11:58:03.359Z","etag":null,"topics":["certificate-authority","dane","dane-proxy","dns","dnssec","proxy","rfc-6698","rfc-7671"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buffrr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2020-04-08T19:20:49.000Z","updated_at":"2025-08-14T13:10:52.000Z","dependencies_parsed_at":"2024-02-25T06:55:00.315Z","dependency_job_id":"d3267563-c1bf-4410-b178-7433ae9e27fe","html_url":"https://github.com/buffrr/letsdane","commit_stats":null,"previous_names":["buffrr/godane"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/buffrr/letsdane","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffrr%2Fletsdane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffrr%2Fletsdane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffrr%2Fletsdane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffrr%2Fletsdane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buffrr","download_url":"https://codeload.github.com/buffrr/letsdane/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buffrr%2Fletsdane/sbom","scorecard":{"id":257369,"data":{"date":"2025-08-11","repo":{"name":"github.com/buffrr/letsdane","commit":"e28059cc5b7f098e5e0683fa593e70279955e009"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":2.9,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Code-Review","score":1,"reason":"Found 3/24 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/buffrr/letsdane/test.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/buffrr/letsdane/test.yml/master?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/buffrr/letsdane/test.yml/master?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:7: pin your Docker image by updating alpine:latest to alpine:latest@sha256:4bcff63911fcb4448bd4fdacec207030997caf25e9bea4045fa6c8c44de311d1","Warn: goCommand not pinned by hash: .github/workflows/test.yml:46","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned","Info:   0 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.3.0 not signed: https://api.github.com/repos/buffrr/letsdane/releases/28938844","Warn: release artifact v0.2.0 not signed: https://api.github.com/repos/buffrr/letsdane/releases/28830046","Warn: release artifact v0.1.0 not signed: https://api.github.com/repos/buffrr/letsdane/releases/25335783","Warn: release artifact v0.3.0 does not have provenance: https://api.github.com/repos/buffrr/letsdane/releases/28938844","Warn: release artifact v0.2.0 does not have provenance: https://api.github.com/repos/buffrr/letsdane/releases/28830046","Warn: release artifact v0.1.0 does not have provenance: https://api.github.com/repos/buffrr/letsdane/releases/25335783"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'master'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":0,"reason":"21 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2021-0227 / GHSA-3vm4-22fp-5rfm","Warn: Project is vulnerable to: GO-2022-0968 / GHSA-gwc9-m7rh-j2ww","Warn: Project is vulnerable to: GO-2021-0356 / GHSA-8c26-wmh5-6g9v","Warn: Project is vulnerable to: GO-2024-2961","Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2022-0236 / GHSA-h86h-8ppg-mxmh","Warn: Project is vulnerable to: GO-2021-0238 / GHSA-83g2-8m93-v3w7","Warn: Project is vulnerable to: GO-2022-0288","Warn: Project is vulnerable to: GO-2022-0969 / GHSA-69cg-p879-7622","Warn: Project is vulnerable to: GO-2022-1144 / GHSA-xrjj-mj9h-534m","Warn: Project is vulnerable to: GO-2023-1571 / GHSA-vvpx-j8f3-3w6h","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw","Warn: Project is vulnerable to: GO-2022-0493 / GHSA-p782-xgp4-8hr8"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 12 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-17T09:59:13.192Z","repository_id":40308761,"created_at":"2025-08-17T09:59:13.192Z","updated_at":"2025-08-17T09:59:13.192Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29054821,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-03T15:43:47.601Z","status":"ssl_error","status_checked_at":"2026-02-03T15:43:46.709Z","response_time":96,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["certificate-authority","dane","dane-proxy","dns","dnssec","proxy","rfc-6698","rfc-7671"],"created_at":"2024-08-02T13:01:32.597Z","updated_at":"2026-02-03T19:35:56.699Z","avatar_url":"https://github.com/buffrr.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"# Let's DANE\r\n\r\n\u003ca href=\"https://goreportcard.com/report/github.com/buffrr/letsdane\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/buffrr/letsdane\"/\u003e\u003c/a\u003e\r\n\u003ca href='https://coveralls.io/github/buffrr/letsdane?branch=master'\u003e\u003cimg src='https://coveralls.io/repos/github/buffrr/letsdane/badge.svg?branch=master' alt='Coverage Status' /\u003e\u003c/a\u003e\r\n\u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue.svg\"/\u003e\u003c/a\u003e\r\n\r\n**Note: Let's DANE is still under development, use at your own risk.**\r\n\r\nLet's DANE enables the use of [DANE (DNS Based Authentication of Named Entities)](https://tools.ietf.org/html/rfc6698) in browsers and other apps using a lightweight proxy. It currently supports DANE-EE and works with self-signed certificates.\r\n\r\n\u003cp align=\"center\"\u003e\r\n\u003cimg src=\"https://user-images.githubusercontent.com/41967894/117558143-5fac2200-b02f-11eb-8222-5dc41033b3f4.png\" width=\"450px\" alt=\"Let's DANE verified DNSSEC\"/\u003e\u003cbr/\u003e\r\n\r\n\u003c/p\u003e\r\n\r\n\u003cp align=\"center\"\u003e\r\ntorproject.org with DANE-EE validated certificate\r\n \u003c/p\u003e\r\n\r\n## How it works\r\n\r\nLet's DANE acts as a trusted intermediary between the browser and DANE enabled sites. It will check if a domain supports it, and generate a certificate on the fly if the authentication was successful. The connection will remain encrypted between you and the end server. If a website doesn't support DANE, its original certificate will be served instead.\r\n\r\nYou are essentially trusting your own private certificate authority. You can install it in your browser's CA store to issue certificates for successful DANE authentications.\r\n\r\n## Features\r\n\r\n- [x] Full DANE-EE support including self-signed certificates ([RFC6698](https://tools.ietf.org/html/rfc6698), [RFC7671](https://tools.ietf.org/html/rfc7671))\r\n- [x] Client-side DNSSEC validation using libunbound\r\n- [x] Prevents downgrade attacks to traditional CAs\r\n- [x] Lightweight DANE tunnels that work with most protocols and with ALPN support.\r\n- [ ] Happy Eyeballs v2 ([RFC8305](https://tools.ietf.org/html/rfc8305))\r\n\r\n## Build from source\r\n\r\nYou can build the latest version from source for now. binaries in releases are not up to date yet.\r\n\r\nGo 1.21+ is required. (unbound is optional omit `-tags unbound` to use AD bit only)\r\n\r\n```bash\r\napt install libunbound-dev\r\ngit clone https://github.com/buffrr/letsdane.git \u0026\u0026 cd letsdane/cmd/letsdane\r\ngo build -tags unbound\r\n```\r\n\r\n## Quick Usage\r\n\r\nLet's DANE will generate a CA and store it in `~/.letsdane` when you start it for the first time.\r\nTo start the proxy server:\r\n\r\n    letsdane -r 1.1.1.1\r\n\r\n- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))\r\n\r\n- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.\r\n\r\nIf you don't specify a resolver, letsdane will use the system resolver settings from `/etc/resolv.conf` and fallback to root hints.\r\nIf letsdane is compiled with libunbound, all queries are DNSSEC validated with a hardcoded ICANN 2017 KSK (you can set trust anchor file by setting `-anchor` option)\r\n\r\nUse `letsdane -help` to see command line options.\r\n\r\n### DANE Tools\r\n\r\n- danectl: \u003chttps://raf.org/danectl\u003e (helper tool for certbot \u0026 letsencrypt)\r\n- other: \u003chttps://www.huque.com/pages/tools.html\u003e (various DANE tools)\r\n\r\n## Docker\r\n\r\n### Building an image\r\n\r\nTo build a Docker image run:\r\n\r\n    git clone https://github.com/buffrr/letsdane\r\n    cd letsdane \u0026\u0026 docker build -t letsdane .\r\n\r\n### Running a container\r\n\r\nTo start a container with proxy on port `8080` with certs in the dane directory run:\r\n\r\n    docker run --name letsdane -dp 127.0.0.1:8080:8080 \\\r\n      -v \"$(pwd)\"/dane:/root/.letsdane \\\r\n      --restart unless-stopped \\\r\n      letsdane -verbose\r\n\r\n## Threat Model\r\n\r\nThe proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely)\r\n\r\n## Use of resolvers\r\n\r\nletsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider.\r\nIf you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you,\r\nyou can use `-skip-dnssec`  (you should know what you're doing because this can be dangerous!)\r\n\r\nIf you use `-skip-dnssec`, letsdane will use the Authenticated Data flag.\r\n\r\n## Why?\r\n\r\nI wanted to try DANE, but no browser currently supports it. It may still be a long way to go for browser support, but if you want to try it now you can!\r\n\r\n## Contributing\r\n\r\nContributions are welcome!\r\n\r\n## Credits\r\n\r\nThanks to the awesome [miekg/dns](https://github.com/miekg/dns) package.\r\n\r\nEven though TLS proxies are not new, the [GNU Naming System](https://gnunet.org/en/gns.html) has prior art on this since they also use a TLS proxy to make their domains work in other applications, but their naming system is very different from traditional DNS.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffrr%2Fletsdane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuffrr%2Fletsdane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuffrr%2Fletsdane/lists"}