1.9 KiB
checker-dane
DANE / TLSA checker for happyDomain.
Bound to the svcs.TLSAs service: groups the user's TLSA records by
(port, proto, base), publishes one tls.endpoint.v1 discovery entry
per endpoint so checker-tls
probes them, then matches each TLSA against the observed certificate
chain per RFC 6698.
Usage
Standalone HTTP server
# Build and run
make
./checker-dane -listen :8080
The server exposes:
GET /health, health checkPOST /collect, collect DANE observations (happyDomain external checker protocol)
Docker
make docker
docker run -p 8080:8080 happydomain/checker-dane
happyDomain plugin
make plugin
# produces checker-dane.so, loadable by happyDomain as a Go plugin
The plugin exposes a NewCheckerPlugin symbol returning the checker
definition and observation provider, which happyDomain registers in its
global registries at load time.
Versioning
The binary, plugin, and Docker image embed a version string overridable at build time:
make CHECKER_VERSION=1.2.3
make plugin CHECKER_VERSION=1.2.3
make docker CHECKER_VERSION=1.2.3
happyDomain remote endpoint
Set the endpoint admin option for the DANE checker to the URL of the
running checker-dane server (e.g., http://checker-dane:8080).
happyDomain will delegate observation collection to this endpoint.
Behavior
- Usage 0 (PKIX-TA) / 1 (PKIX-EE): TLSA match + publicly trusted PKIX chain required.
- Usage 2 (DANE-TA) / 3 (DANE-EE): TLSA acts as the trust anchor; PKIX validity is informational.
- Selector 0 (Cert) / 1 (SPKI) and MatchingType 0/1/2 (Full / SHA-256 / SHA-512) are matched against the chain slot implied by the usage.
- Common STARTTLS ports (25, 110, 143, 389, 587, 5222, 5269) are auto-mapped;
override via the
starttlsoption keyed by"<port>/<proto>".