godane

README

Go DANE

Note: Go DANE is still under development, use at your own risk.

Go DANE enables the use of DANE (DNS Based Authentication of Named Entities) in browsers using a simple proxy. It currently supports DANE-EE, and works with self-signed certificates.

How it works

Go DANE acts as a middleman between the browser and DANE enabled sites. It will check if a domain supports it, and generate a certificate on the fly if the authentication was successful. The connection will remain encrypted between you and the end server. If a website doesn't support DANE, its original certificate will be served instead.

For this to work, Go DANE generates a local certificate authority that must be installed in your browser's certificate store. This CA is used to issue certificates for successful DANE authentications.

Usage

You can build it from source using go build github.com/buffrr/godane/cmd/godane or download a binary for your OS from releases

./godane -dns tls://1.1.1.1

You will be prompted to enter a passphrase. This passphrase is used to encrypt the private key stored on disk.

• Add Go DANE proxy to your web browser 127.0.0.1:8080 for HTTP/HTTPS.

• Import the certificate file cert.crt stored at ~/.godane into your browser.

The easiest way to try it out is to use Firefox because it supports adding a proxy natively and has a built in CA store so that you don't have to add the root CA or proxy to your whole OS (it's still experimental).

Use godane -help to see command line options.

Some sites that currently use DANE-EE:

• FreeBSD: https://freebsd.org

• Tor Project: https://torproject.org

• Kumari https://www.kumari.net/

Go DANE with handshake.org

If you're running a local hsd node listening for dns queries:

./godane -dns udp://:53

You can also use easyhandshake resolver.

./godane -dns https://easyhandshake.com:8053

Note: You can configure hsd to use a different port if 53 is in use.

Some handshake sites

• https://3b
• https://proofofconcept

Use of resolvers

Go DANE doesn't perform DNSSEC verification by itself. The resolver you specify must be DNSSEC capable. If you have a local validating resolver, you can use udp/tcp. If not, please use a trusted resolver that supports DNSSEC and communicates over a secure channel.

Note: for Go DANE to know the dns response is validated, the resolver must set the Authenticated Data (AD) flag to true.

Why?

I wanted to try DANE, but no browser currently supports it. It may still be a long way to go for browser support, but if you want to try it now you can!

Contributing

Contributions are welcome!

Documentation

Index

• Constants
• func GetDialFunc(rs Resolver) func(network string, addr string) (net.Conn, error)
• func GetTLSAPrefix(host string) string
• func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error)
• func RoundTripper(rs Resolver, gContext *goproxy.ProxyCtx) http.RoundTripper
• func TLSASupported(rrs []dns.TLSA) bool
• type ClientResolver
  • func NewResolver(server string) (*ClientResolver, error)
  • func (rs *ClientResolver) LookupIP(hostname string, secure bool) ([]net.IP, error)
  • func (rs *ClientResolver) LookupTLSA(prefix string) ([]dns.TLSA, error)
• type Config
  • func (c *Config) Run(addr string) error
• type Resolver

Constants

const (
	Timeout               = 30 * time.Second
	KeepAlive             = 30 * time.Second
	TLSHandshakeTimeout   = 10 * time.Second
	ExpectContinueTimeout = time.Second
)

Timeouts used in the dialer and http transport.

Functions

func GetDialFunc

func GetDialFunc(rs Resolver) func(network string, addr string) (net.Conn, error)

GetDialFunc returns a dial function that uses the given resolver.

func GetTLSAPrefix

func GetTLSAPrefix(host string) string

GetTLSAPrefix returns the TLSA prefix for the given host:port

func NewAuthority

func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error)

NewAuthority creates a new CA certificate and associated private key.

func RoundTripper

func RoundTripper(rs Resolver, gContext *goproxy.ProxyCtx) http.RoundTripper

RoundTripper returns a round tripper capable of performing DANE/TLSA verification. Uses the given resolver for dns lookups.

func TLSASupported

func TLSASupported(rrs []dns.TLSA) bool

TLSASupported checks if there is a supported DANE usage from the given TLSA records. currently checks for usage EE(3).

Types

type ClientResolver

type ClientResolver struct {
	// contains filtered or unexported fields
}

ClientResolver implements Resolver and caches queries.

func NewResolver

func NewResolver(server string) (*ClientResolver, error)

NewResolver creates a new resolver the server can be specified using udp://, tcp://, tls:// or https://

func (*ClientResolver) LookupIP

func (rs *ClientResolver) LookupIP(hostname string, secure bool) ([]net.IP, error)

LookupIP looks up host using the specified resolver. It returns a slice of that host's IPv4 and IPv6 addresses.

func (*ClientResolver) LookupTLSA

func (rs *ClientResolver) LookupTLSA(prefix string) ([]dns.TLSA, error)

LookupTLSA returns TLSA records for the given TLSA prefix.

type Config

type Config struct {
	Certificate *x509.Certificate
	PrivateKey  interface{}
	Validity    time.Duration
	Resolver    Resolver
	Verbose     bool
}

func (*Config) Run

func (c *Config) Run(addr string) error

type Resolver

type Resolver interface {
	LookupIP(string, bool) ([]net.IP, error)
	LookupTLSA(string) ([]dns.TLSA, error)
}

Resolver used for dns lookups