checker-dane

README

checker-dane

DANE / TLSA checker for happyDomain.

Bound to the svcs.TLSAs service: groups the user's TLSA records by (port, proto, base), publishes one tls.endpoint.v1 discovery entry per endpoint so checker-tls probes them, then matches each TLSA against the observed certificate chain per RFC 6698.

Usage

Standalone HTTP server

# Build and run
make
./checker-dane -listen :8080

The server exposes:

• GET /health, health check
• POST /collect, collect DANE observations (happyDomain external checker protocol)

Docker

make docker
docker run -p 8080:8080 happydomain/checker-dane

happyDomain plugin

make plugin
# produces checker-dane.so, loadable by happyDomain as a Go plugin

The plugin exposes a NewCheckerPlugin symbol returning the checker definition and observation provider, which happyDomain registers in its global registries at load time.

Versioning

The binary, plugin, and Docker image embed a version string overridable at build time:

make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3

happyDomain remote endpoint

Set the endpoint admin option for the DANE checker to the URL of the running checker-dane server (e.g., http://checker-dane:8080). happyDomain will delegate observation collection to this endpoint.

Behavior

• Usage 0 (PKIX-TA) / 1 (PKIX-EE): TLSA match + publicly trusted PKIX chain required.
• Usage 2 (DANE-TA) / 3 (DANE-EE): TLSA acts as the trust anchor; PKIX validity is informational.
• Selector 0 (Cert) / 1 (SPKI) and MatchingType 0/1/2 (Full / SHA-256 / SHA-512) are matched against the chain slot implied by the usage.
• Common STARTTLS ports (25, 110, 143, 389, 587, 5222, 5269) are auto-mapped; override via the starttls option keyed by "<port>/<proto>".