{"id":21464232,"url":"https://github.com/shuque/dane","last_synced_at":"2025-07-15T03:32:42.185Z","repository":{"id":143298426,"uuid":"266900157","full_name":"shuque/dane","owner":"shuque","description":"Go library for DANE authentication","archived":false,"fork":false,"pushed_at":"2024-01-09T21:25:35.000Z","size":59,"stargazers_count":20,"open_issues_count":4,"forks_count":6,"subscribers_count":6,"default_branch":"master","last_synced_at":"2024-06-19T05:57:23.962Z","etag":null,"topics":["authentication","dane","dns","dnssec","pkix","tlsa","x509"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shuque.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-05-25T23:29:52.000Z","updated_at":"2024-06-08T22:20:42.000Z","dependencies_parsed_at":null,"dependency_job_id":"78f9c4e6-aff8-441e-b3bd-84d4fede8df9","html_url":"https://github.com/shuque/dane","commit_stats":null,"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fdane","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fdane/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fdane/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fdane/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shuque","download_url":"https://codeload.github.com/shuque/dane/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":226017327,"owners_count":17560465,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","dane","dns","dnssec","pkix","tlsa","x509"],"created_at":"2024-11-23T07:30:27.290Z","updated_at":"2024-11-23T07:30:27.820Z","avatar_url":"https://github.com/shuque.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# dane\nGo library for DANE TLSA authentication\n\n### Pre-requisites\n\n* Go\n* Go dns package from https://github.com/miekg/dns\n\n### Documentation\n\nFormatted documentation for this module can be found at:\n\nhttps://pkg.go.dev/github.com/shuque/dane?tab=doc\n\n### Description\n\nPackage dane provides a set of functions to perform DANE authentication\nof a TLS server, with fall back to PKIX authentication if no DANE TLSA\nrecords exist for the server. DANE is a protocol that employs DNSSEC signed\nrecords (\"TLSA\") to authenticate X.509 certificates used in TLS and other\nprotocols. See RFC 6698 for details.\n\nThe dane.Config structure holds all the configured input parameters\nfor DANE authentication, including the server's name, address \u0026 port,\nand the TLSA record set data. A new dane.Config structure has to be\ninstantiated for each DANE TLS server that needs to be authenticated.\n\nThe package includes functions that will perform secure lookup of TLSA\nrecords and address records via a validating DNS resolver: GetTLSA() and\nGetAddresses(). Alternatively, if the calling application has obtained\nthe TLSA record data by itself, it can populate the dane.Config's TLSA\nstructure itself.\n\nThe use of GetTLSA() and GetAddresses() requires the use of a validating\nDNS resolver that sets the AD bit on authenticated responses. The\nGetResolver() function in this package, by default uses the set of resolvers\ndefined in /etc/resolv.conf. This can be overridden by supplying a custom\nresolv.conf file, or by directly initializing a Resolver structure\nand placing it in the dane.Config. To be secure, it is important that system\nthe code is running on has a secure connection to the validating resolver.\n(A future version of this library may perform stub DNSSEC validation itself,\nin which case it would only need to be able to communicate with a DNSSEC aware\nresolver, and not require a secure transport connection to it.)\n\nThe functions DialTLS() or DialStartTLS() take a dane.Config instance,\nconnect to the server, perform DANE authentication, and return a TLS\nconnection handle for subsequent use. DialStartTLS() will additionally\nperform an application specific STARTTLS negotiation first. STARTTLS is\nsupported for the SMTP, POP3, IMAP, and XMPP applications by calling the\nAppname and Servicename methods on the Config structure.\n\nIf no secure DANE TLSA records are found, or if the resolver doesn't\nvalidate, this package will fallback to normal PKIX authentication.\nCalling NoPKIXverify() on the Config structure will prevent this and\nforce a requirement for DANE authentication.\n\nPer current spec (RFC 7671, Section 5.1), this library does not perform\ncertificate name checks for DANE-EE mode TLSA records, but this can be\noverridden with the DaneEEname option. For Web applications it is sensible\nto set the DaneEEname option to protect against Unknown Keyshare Attacks as\ndescribed in https://tools.ietf.org/html/draft-barnes-dane-uks-00 .\n\nAlso, per RFC 7672, Section 3.1.3, for SMTP STARTTLS the library ignores\nPKIX-* mode TLSA records, since they are not recommended for use. This can\nalso be overridden by setting the SMTPAnyMode option.\n\nAfter calling DialTLSA() or DialStartTLSA(), the dane.Config structure\nis populated with additional diagnostic information, such as DANE and\nPKIX authentication status, the verified certificate chains, and the\nverification status of each DANE TLSA record processed.\n\nIf dane.Config.DiagMode is set to true, then DialTLSA() and DialStartTLSA()\nwill return a working TLS connection handle even if server authentication\nfails (rather than an error), but will populate the dane.Config's DiagError\nmember with the appropriate error instead.\n\n\n### Example code\n\nThe basic steps in summary form are:\n\n```\nimport (\n    ...\n    \"github.com/shuque/dane\"\n    )\n\n// replace this with the name and port for a valid DANE TLS server\nhostname := \"www.example.com\"\nport := 443\n\nresolver, err := dane.GetResolver()\ntlsa, err := dane.GetTLSA(resolver, hostname, port)\niplist, err := dane.GetAddresses(resolver, hostname, true)\n\nfor _, ip := range iplist {\n\tdaneconfig := dane.NewConfig(hostname, ip, 443)\n\tdaneconfig.SetTLSA(tlsa)\n\tconn, err := dane.DialTLS(daneconfig)\n\tif err != nil {\n\t\tfmt.Printf(\"Result: FAILED: %s\\n\", err.Error())\n\t\tcontinue\n\t}\n\tif daneconfig.Okdane {\n\t\tfmt.Printf(\"Result: DANE OK\\n\")\n\t} else if daneconfig.Okpkix {\n\t\tfmt.Printf(\"Result: PKIX OK\\n\")\n\t} else {\n\t\tfmt.Printf(\"Result: FAILED\\n\")\n\t}\n\t//\n\t// do some stuff with the obtained TLS connection here\n\t//\n\tconn.Close()\n}\n```\n\nThe ConnectByName(), ConnectByNameAsync(), and ConnectByNameAsync2() functions\nare simpler all-in-one functions that take a hostname and port argument, and then\nlookup up TLSA records, connect to the first address associated with the hostname\nthat results in an authenticated connection, and returns the associated TLS connection\nobject.\n\nGetHttpClient() returns a HTTP client structure (net/http.Client) configured to\ndo DANE authentication of a HTTPS server. The \"pkixfallback\" boolean argument specifies\nwhether or not to fallback to PKIX authentication if there are no secure TLSA records\npublished for the server.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fdane","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshuque%2Fdane","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fdane/lists"}