Ensure that postfix will be able to use the TLSA records

see https://www.huque.com/dane/testsite/ for the testcases
master
Florent Daigniere 3 years ago
parent ef5f82362c
commit c1d94bb725

@ -44,14 +44,14 @@ resolver = dns.resolver.Resolver()
resolver.use_edns(0, 0, 1500) resolver.use_edns(0, 0, 1500)
resolver.flags = dns.flags.AD | dns.flags.RD resolver.flags = dns.flags.AD | dns.flags.RD
def has_dane_record(domain, timeout=5): def has_dane_record(domain, timeout=10):
try: try:
result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout) result = resolver.query(f'_25._tcp.{domain}', dns.rdatatype.TLSA,dns.rdataclass.IN, lifetime=timeout)
if (result.response.flags & dns.flags.AD) == dns.flags.AD: if (result.response.flags & dns.flags.AD) == dns.flags.AD:
for record in result: for record in result:
if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA): if isinstance(record, dns.rdtypes.ANY.TLSA.TLSA):
record.validate() record.validate()
if record.usage in [2,3]: # postfix wants DANE-only if record.usage in [2,3] and record.selector in [0,1] and record.mtype in [0,1,2]:
return True return True
except dns.resolver.NoNameservers: except dns.resolver.NoNameservers:
# If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled # If the DNSSEC data is invalid and the DNS resolver is DNSSEC enabled

Loading…
Cancel
Save