[ldns-users] TLSA verification using ldns-dane

Willem Toorop willem at nlnetlabs.nl
Wed Jun 1 12:03:30 UTC 2016

Op 01-06-16 om 13:06 schreef A. Schulze:
> Paul Wouters:
>> Not sure about ldns-dane, but I think it lacks STARTTLS
>> support.
> My impression/expectation: this is what option "-i" was added for.

No, it was to provide a channel to interact after the TLS is setup.
Similar to what openssl s_client does.

You could collect the certificate with openssl s_client and then use
ldns-dane to verify it.

$ openssl s_client -connect nlnetlabs.nl:25 -starttls smtp | openssl
x509 >nlnetlabs.nl.smtp.crt
$ ldns-dane -c nlnetlabs.nl.smtp.crt verify nlnetlabs.nl 25
OU=Domain Control Validated, CN=*.nlnetlabs.nl dane-validated successfully

>> With the hash-slinger package installed ...
> I've to check if it's available on all platforms I've in mind ...
> Thanks for that hint.
> Andreas
> _______________________________________________
> ldns-users mailing list
> ldns-users at open.nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list