From 56e0811206c4972570718b8ef6f4bd6a5b4fd691 Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Tue, 7 Feb 2012 23:33:21 +0100 Subject: [PATCH] Add two patches by David Voit (thanks!) * 1 patch adds DNSSEC Look-aside Validation support * 1 patch fixes a bug introduced in commit 7d20d367 --- dlv.isc.org.key | 2 ++ swede | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 dlv.isc.org.key diff --git a/dlv.isc.org.key b/dlv.isc.org.key new file mode 100644 index 0000000..c73944f --- /dev/null +++ b/dlv.isc.org.key @@ -0,0 +1,2 @@ +; https://secure.isc.org/ops/dlv/dlv.isc.org.key +dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh diff --git a/swede b/swede index bc1952a..cc2b21d 100755 --- a/swede +++ b/swede @@ -127,6 +127,7 @@ def getRecords(hostname, rrtype='A', secure=True): global resolvconf ctx = unbound.ub_ctx() ctx.add_ta_file('root.key') + ctx.set_option("dlv-anchor-file:", "dlv.isc.org.key") # Use the local cache if resolvconf and os.path.isfile(resolvconf): ctx.resolvconf(resolvconf) @@ -466,7 +467,8 @@ if __name__ == '__main__': # Good, now let's verify if record.usage == 1: # End-host cert - if verifyCertMatch(record, chain[0]): + cert = chain[0] + if verifyCertMatch(record, cert): if verify_result == 0: # The cert chains to a valid CA cert according to the system-certificates print 'SUCCESS (Usage 1): Certificate offered by the server matches the one mentioned in the TLSA record and chains to a valid CA certificate' else: -- 2.36.1