getdnsapi
diff --git a/‎examples/checkdanecert.py
Lines changed: 113 additions & 0 deletions b/‎examples/checkdanecert.py
Lines changed: 113 additions & 0 deletions
diff --git a/‎examples/example_address.py
Lines changed: 0 additions & 26 deletions b/‎examples/example_address.py
Lines changed: 0 additions & 26 deletions
diff --git a/‎examples/example_dnssec.py
Lines changed: 0 additions & 44 deletions b/‎examples/example_dnssec.py
Lines changed: 0 additions & 44 deletions
diff --git a/‎examples/example_hostname.py
Lines changed: 0 additions & 33 deletions b/‎examples/example_hostname.py
Lines changed: 0 additions & 33 deletions
diff --git a/‎examples/get-general.py
Lines changed: 47 additions & 0 deletions b/‎examples/get-general.py
Lines changed: 47 additions & 0 deletions
diff --git a/‎examples/get-ip-many.py
Lines changed: 15 additions & 0 deletions b/‎examples/get-ip-many.py
Lines changed: 15 additions & 0 deletions
diff --git a/‎examples/get-ip-only-secure.py
Lines changed: 21 additions & 0 deletions b/‎examples/get-ip-only-secure.py
Lines changed: 21 additions & 0 deletions
diff --git a/‎examples/get-ip.py
Lines changed: 16 additions & 0 deletions b/‎examples/get-ip.py
Lines changed: 16 additions & 0 deletions
diff --git a/‎examples/get-mx-ip.py
Lines changed: 51 additions & 0 deletions b/‎examples/get-mx-ip.py
Lines changed: 51 additions & 0 deletions
@@ -0,0 +1,113 @@
+#!/usr/bin/env python
+#
+# Get a TLS certificate from a HTTP server and verify it with
+# DANE/DNSSEC. Only supports TLSA usage type 3 (DANE-EE).
+# 
+
+import sys, socket, hashlib
+from M2Crypto import SSL, X509
+import getdns
+
+
+def compute_hash(func, string):
+    """compute hash of string using given hash function"""
+    h = func()
+    h.update(string)
+    return h.hexdigest()
+
+
+def get_tlsa_rdata_set(replies):
+    tlsa_rdata_set = []
+    for reply in replies:
+        for rr in reply['answer']:
+            if rr['type'] == getdns.GETDNS_RRTYPE_TLSA:
+                rdata = rr['rdata']
+                usage = rdata['certificate_usage']
+                selector = rdata['selector']
+                matching_type = rdata['matching_type']
+                cadata = rdata['certificate_association_data']
+                cadata = str(cadata).encode('hex')
+                tlsa_rdata_set.append(
+                    (usage, selector, matching_type, cadata) )
+    return tlsa_rdata_set
+
+
+def get_tlsa(port, proto, hostname):
+
+    qname = "_%d._%s.%s" % (port, proto, hostname)
+    ctx = getdns.Context()
+    extensions = { "dnssec_return_only_secure": getdns.GETDNS_EXTENSION_TRUE }
+    results = ctx.general(name=qname,
+                          request_type=getdns.GETDNS_RRTYPE_TLSA,
+                          extensions=extensions)
+    status = results['status']
+
+    if status == getdns.GETDNS_RESPSTATUS_GOOD:
+        return get_tlsa_rdata_set(results['replies_tree'])
+    else:
+        print "getdns: failed looking up TLSA record, code: %d" % status
+        return None
+
+
+def verify_tlsa(cert, usage, selector, matchtype, hexdata1):
+
+    if usage != 3:
+        print "Only TLSA usage type 3 is currently supported"
+        return
+
+    if selector == 0:
+        certdata = cert.as_der()
+    elif selector == 1:
+        certdata = cert.get_pubkey().as_der()
+    else:
+        raise ValueError("selector type %d not recognized" % selector)
+
+    if matchtype == 0:
+        hexdata2 = hexdump(certdata)
+    elif matchtype == 1:
+        hexdata2 = compute_hash(hashlib.sha256, certdata)
+    elif matchtype == 2:
+        hexdata2 = compute_hash(hashlib.sha512, certdata)
+    else:
+        raise ValueError("matchtype %d not recognized" % matchtype)
+
+    if hexdata1 == hexdata2:
+        return True
+    else:
+        return False
+
+
+if __name__ == '__main__':
+
+    hostname, port = sys.argv[1:]
+    port = int(port)
+    tlsa_rdata_set = get_tlsa(port, "tcp", hostname)
+
+    ctx = SSL.Context()
+
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+
+    connection = SSL.Connection(ctx, sock=sock)
+    connection.connect((hostname, port))
+
+    chain = connection.get_peer_cert_chain()
+    # Get the first certificate from the chain (which will be the EE cert)
+    cert = chain[0]
+
+    # find a matching TLSA record entry for the certificate
+    tlsa_match = False
+    for (usage, selector, matchtype, hexdata) in tlsa_rdata_set:
+        if verify_tlsa(cert, usage, selector, matchtype, hexdata):
+            tlsa_match = True
+            print "Certificate matched TLSA record %d %d %d %s" % \
+                (usage, selector, matchtype, hexdata)
+        else:
+            print "Certificate did not match TLSA record %d %d %d %s"% \
+                (usage, selector, matchtype, hexdata)
+    if tlsa_match:
+        print "Found at least one matching TLSA record"
+
+    connection.close()
+    ctx.close()
+
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+#
+# Given a DNS name and type, return the records in the DNS answer
+# section only, excluding any RRSIG records.
+#
+
+import getdns, pprint, sys
+
+extensions = { "dnssec_return_status" : getdns.GETDNS_EXTENSION_TRUE }
+
+def get_rrtype(qtype):
+    try:
+        rrtype = eval("getdns.GETDNS_RRTYPE_%s" % qtype.upper())
+    except AttributeError:
+        print "Unknown DNS record type: %s" % qtype
+        sys.exit(1)
+    else:
+        return rrtype
+
+
+def print_answer(r):
+    pprint.pprint(r['replies_tree'][0]['answer'])
+    return
+
+
+if __name__ == '__main__':
+
+    qname, qtype = sys.argv[1:]
+    rrtype = get_rrtype(qtype)
+
+    ctx = getdns.Context()
+    results = ctx.general(name=qname, request_type=rrtype,
+                          extensions=extensions)
+    status = results['status']
+
+    if status == getdns.GETDNS_RESPSTATUS_GOOD:
+        for reply in results['replies_tree']:
+            answers = reply['answer']           # list of 1 here
+            for answer in answers:
+                if answer['type'] != getdns.GETDNS_RRTYPE_RRSIG:
+                    pprint.pprint(answer)
+    elif status == getdns.GETDNS_RESPSTATUS_NO_NAME:
+        print "%s, %s: no such name" % (qname, qtype)
+    elif status == getdns.GETDNS_RESPSTATUS_ALL_TIMEOUT:
+        print "%s, %s: query timed out" % (qname, qtype)
+    else:
+        print "%s, %s: unknown return code: %d" % results["status"]
@@ -0,0 +1,15 @@
+#!/usr/bin/env python
+
+import getdns, sys
+
+ctx = getdns.Context()
+extensions = { "return_both_v4_and_v6" : getdns.GETDNS_EXTENSION_TRUE }
+
+for hostname in sys.argv[1:]:
+    results = ctx.address(name=hostname, extensions=extensions)
+    if results["status"] == getdns.GETDNS_RESPSTATUS_GOOD:
+        for addr in results["just_address_answers"]:
+            print "%s: %s" % (hostname, addr["IPSTRING"])
+    else:
+        print "getdns.address() returned an error: %d" % results["status"]
+
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+
+import getdns, sys
+
+hostname = sys.argv[1]
+
+ctx = getdns.Context()
+extensions = {
+    "return_both_v4_and_v6" : getdns.GETDNS_EXTENSION_TRUE,
+    "dnssec_return_only_secure": getdns.GETDNS_EXTENSION_TRUE,
+}
+results = ctx.address(name=hostname, extensions=extensions)
+status = results['status']
+
+if status == getdns.GETDNS_RESPSTATUS_GOOD:
+    for addr in results["just_address_answers"]:
+        print addr["IPSTRING"]
+elif status == getdns.GETDNS_RESPSTATUS_NO_SECURE_ANSWERS:
+    print "No DNSSEC secured responses found"
+else:
+    print "getdns.address() returned error: %d" % status
@@ -0,0 +1,16 @@
+#!/usr/bin/env python
+
+import getdns, sys
+
+hostname = sys.argv[1]
+
+ctx = getdns.Context()
+extensions = { "return_both_v4_and_v6" : getdns.GETDNS_EXTENSION_TRUE }
+results = ctx.address(name=hostname, extensions=extensions)
+
+if results["status"] == getdns.GETDNS_RESPSTATUS_GOOD:
+    for addr in results["just_address_answers"]:
+        print addr["IPSTRING"]
+else:
+    print "getdns.address() returned an error: %d" % results["status"]
+
@@ -0,0 +1,51 @@
+#!/usr/bin/env python
+#
+
+"""
+Lookup an MX record and printout all the MX preference, target, and
+associated IP addresses of the targets.
+"""
+
+import getdns, pprint, sys
+
+extensions = { "return_both_v4_and_v6" : getdns.GETDNS_EXTENSION_TRUE }
+
+
+def get_ip(ctx, qname):
+    iplist = []
+    results = ctx.address(name=qname, extensions=extensions)
+    if results['status'] == getdns.GETDNS_RESPSTATUS_GOOD:
+        for addr in results["just_address_answers"]:
+            iplist.append(addr['IPSTRING'])
+    else:
+        print "getdns.address() returned an error: %d" % results['status']
+    return iplist
+
+
+if __name__ == '__main__':
+
+    qname = sys.argv[1]
+
+    ctx = getdns.Context()
+    results = ctx.general(name=qname, request_type=getdns.GETDNS_RRTYPE_MX)
+    status = results['status']
+
+    hostlist = []
+    if status == getdns.GETDNS_RESPSTATUS_GOOD:
+        for reply in results['replies_tree']:
+            answers = reply['answer']
+            for answer in answers:
+                if answer['type'] == getdns.GETDNS_RRTYPE_MX:
+                    iplist = get_ip(ctx, answer['rdata']['exchange'])
+                    for ip in iplist:
+                        hostlist.append( (answer['rdata']['preference'], \
+                                          answer['rdata']['exchange'], ip) )
+    elif status == getdns.GETDNS_RESPSTATUS_NO_NAME:
+        print "%s, %s: no such name" % (qname, qtype)
+    elif status == getdns.GETDNS_RESPSTATUS_ALL_TIMEOUT:
+        print "%s, %s: query timed out" % (qname, qtype)
+    else:
+        print "%s, %s: unknown return code: %d" % results["status"]
+
+    for (pref, mx, addr) in sorted(hostlist):
+        print pref, mx, addr