CERT Resolver Support? about dnspython HOT 3 CLOSED

On 26 Jan 2013, at 19:46, Alan Viars [email protected] wrote:

import dns.resolve
for rdata in dns.resolver.query('alan.direct.transparenthealth.org', 'CERT')
print rdata.target

This:

import dns.resolver
for rdata in dns.resolver.query('alan.direct.transparenthealth.org', 'CERT'):
print rdata

works for me:

$python example.py
PKIX 38725 RSASHA1 MIIDtzCCAyCgAwIBAgIIexSV8b464C8w DQYJKoZIhvcNAQEFBQAwgaExMDAuBgkq hkiG9w0BCQEWIXJvb3RAZGlyZWN0LnRy YW5zcGFyZW50aGVhbHRoLm9yZzEiMCAG A1UEAwwZVHJhbnNwYXJlbnRIZWFsdGgg Um9vdCBDQTEMMAoGA1UEBhMDVVNBMQsw CQYDVQQIDAJNRDESMBAGA1UEBwwJQmFs dGltb3JlMRowGAYDVQQKDBFUcmFuc3Bh cmVudEhlYWx0aDAeFw0xMjEwMjIxNjAz MDNaFw0xMzEwMjIxNjAzMDNaMIGMMTAw LgYJKoZIhvcNAQkBFiFhbGFuQGRpcmVj dC50cmFuc3BhcmVudGhlYWx0aC5vcmcx DTALBgNVBAMMBGFsYW4xDDAKBgNVBAYT A1VTQTELMAkGA1UECAwCTUQxEjAQBgNV BAcMCUJhbHRpbW9yZTEaMBgGA1UECgwR VHJhbnNwYXJlbnRIZWFsdGgwgZ8wDQYJ KoZIhvcNAQEBBQADgY0AMIGJAoGBAKg8 b/JbbzY6JEZ4f5oWfRabUalEN9oyIGY5 iMdCvou6XOXhZjulRxGaLU1h/HMIlKcK PizfHQfM27TcThN0v+tGpB5KR4usJswW 7B4jFTMzEWos+vQgKYTp0Ba/GY8yPQBU ooMci7VXwQGHigteBgIqzLospZuvILuq Q4DyspdFAgMBAAGjggEJMIIBBTCB1QYD VR0jBIHNMIHKgBTeVxgnNZiodoON8jYz 0dOIFZd3/6GBp6SBpDCBoTEwMC4GCSqG SIb3DQEJARYhcm9vdEBkaXJlY3QudHJh bnNwYXJlbnRoZWFsdGgub3JnMSIwIAYD VQQDDBlUcmFuc3BhcmVudEhlYWx0aCBS b290IENBMQwwCgYDVQQGEwNVU0ExCzAJ BgNVBAgMAk1EMRIwEAYDVQQHDAlCYWx0 aW1vcmUxGjAYBgNVBAoMEVRyYW5zcGFy ZW50SGVhbHRogggC/E/ve0cKQTAdBgNV HQ4EFgQUfcBGZcuFMFQnMO5spFmlKLri UFYwDAYDVR0TAQH/BAIwADANBgkqhkiG 9w0BAQUFAAOBgQBIfMyInF6gn4dVtapi h7oDRSjZgnqnaiooE5Aud5+DdasrmClm TfrcjZKPo1BMc0MMxd2XvR1VbyPc4eKL 81eP6johwirh1t5euYpgPHeJDDXjgzWI ziIcvo26aU5Xvu06at2T+0F1lSN+wgOt HrEp/onhyorHDxMfyMqMz1yXLg==

Any chance the dnspython you're using isn't 1.10? Prior to 1.10 dnspython's resolver didn't fail over to TCP, which is needed for such a big response (if you don't ask for EDNS0 at least).

from dnspython.

Bob:

Yep thanks that was it. I was using the version packaged with Ubuntu 12.04, which is 1.9. I just removed it and reinstalled dnspython with pip and it worked! Thanks so much! Any idea how I would print out just the certificate and/or just the just the algorithm instead of the getting everything?

print rdata.certificate()

Seems to print a binary version, (that I assume I could write to .der file??). I think i want to just fetch the cert. Is this possible?

Best,

Alan

from dnspython.

On 26 Jan 2013, at 22:02, Alan Viars [email protected] wrote:

Bob:

Yep thanks that was it. I was using the version packaged with Ubuntu 12.04, which is 1.9. I just removed it and reinstalled dnspython with pip and it worked! Thanks so much! Any idea how I would print out just the certificate and/or just the just the algorithm instead of the getting everything?

print rdata.certificate()
Seems to print a binary version, (that I assume I could write to .der file??). I think i want to just fetch the cert. Is this possible?

To print the algorithm as text

import dns.dnssec
print dns.dnssec.algorithm_to_text(rdata.algorithm)

The certificate for certificate type PKIX is as described in RFC 2538, sections 2.1 and 2.3. In particular, be aware that the DNS certificate field starts out with a length-encoded OID (e.g. 0x 03 55 04 24 for a user certificate) and then contains the actual certificate formatted according to PKIX (DER, I think). I expect you may have to strip off these initial four bytes, but I don't really know as I just deal with the DNS part of things and know next to nothing about X.509.

/Bob

from dnspython.