This repository contains code for proof-of-concept client implementation of stateless DANE.
Server part can be found here: https://github.com/htools-org/stateless-dane.
Based on letsdane.
Similar to letsdane, it sets up a proxy server which listens for incoming connections, resolves the hostname, checks if the provided certificate is correct and then outputs a self-signed certificate (signed by local certificate authority which has to be added to the browser's trusted ones).
Internally it uses hnsd to sync tree roots. The initial syncronization might take several minutes. Afterwards, using checkpoints, hnsd has to syncrhonize last ~2k roots which usually takes 5 seconds. After synchronization, hnsd is terminated.
Internal hnsd daemon has 5350
as a default port.
Install dependencies:
apt-get install libgetdns-dev
brew install getdns
git clone https://github.com/randomlogin/sane.git && cd sane/cmd/sane
go build
Next, in order to use SANE it's needed to have hnsd installed. Please, follow build instraction in hnsd repository.
One can provide the path to the hnsd
executable either via flag -hnsd
or via environment variable
export HNSD_PATH="~/hnsd/hnsd"
Default directory containing CA files and saved tree roots is ~/.sane/
.
Windows users are encouraged to use docker container to run sane.
SANE can be run as a docker container:
- Build container
docker build .
- Run sane
sudo dicker run -p 9590:9590 sane -r https://hnsdoh.com -external-service https://sdaneproofs.htools.work/proofs/ --verbose -addr 0.0.0.0:9590
- Copy the generated certificate from the container:
sudo docker cp $(sudo docker ps | grep sane | awk '{print $1}'):/root/.sane/cert.crt cert.crt
- Perhaps you also will need to change permissions to the certificate:
sudo chown $(whoami) cert.crt
to add them to your browser
SANE will generate a certificate authority and store it in ~/.sane
when you start it for the first time.
To start SANE using handshake DNS Over HTTPS resolver:
export HNSD_PATH="~/hnsd/hnsd"
./sane -r https://hnsdoh.com
An additional parameter can be added: the external server which provides both DNSSEC and urkel proof for the domain, which allows to browse websites without SANE-compliant certificates (of course this external service must be trusted).
./sane -r https://hnsdoh.com -external-service https://sdaneproofs.htools.work/proofs/
Additional arguments can be viewed by invoking help:
./sane --help
SANE looks for an extension in the certificate which contains an urkel tree proof, verifies it, checks if the root is not
older than a week.
Native golang implementation of urkel tree is used.
Another extension from the certificate contains DNSSEC verifiation chain. Its verification is done locally using getdns, it does not call any resolvers.
Uses an external service for providing the proof data.
There are several public community-hosted external services:
- https://sdaneproofs.htools.work/proofs/ (@rithvikvibhu)
- https://sdaneproofs.woodburn.au/proofs (@nathanwoodburn)
- https://sdaneproofs.shakestation.io/proofs
- Add SANE proxy to your web browser
127.0.0.1:8080
(Firefox example) - Import the certificate file into your browser certificate store (Firefox example).
Go 1.21+
hnsd 2.99.0+
Following websites provide examples of websites compliant with SANE (including wildcard certificates):
Default output log provides sufficient information about what is happening, though additional --verbose
flag might
help to locate the exact code locations where the logging comes from.