How to Test DNSSEC and DANE on a Domain

Here’s a simple way to check if DANE is properly setup on a site:

# echo -n | openssl s_client -connect | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -noout -fingerprint -sha256 | tr -d :
depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
SHA256 Fingerprint=461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD530BF2C2

And then compare that value against published TLSA record:

# dig +short TLSA
3 0 1 461479314CDEC67FB609C812EB74737BAA5327455AD422BA606C88DD 530BF2C2

These value should match. If they don’t assume the site has been compromised.

This assumes of course the domain is also signed with DNSSEC. A properly configured domain:

How to Test DNSSEC and DANE on a Domain