diff util/prosodyctl/check.lua @ 14226:59c50c76860b

util.prosodyctl.check: Show TLSA records in DNS Doesn't yet check that these match your certificates, but can be compared to 'check certs'
author Kim Alvefur <zash@zash.se>
date Fri, 12 Jun 2026 23:08:09 +0200
parents 866422587486
children 84a72e9cb610
line wrap: on
line diff
--- a/util/prosodyctl/check.lua	Fri Jun 12 16:43:44 2026 +0200
+++ b/util/prosodyctl/check.lua	Fri Jun 12 23:08:09 2026 +0200
@@ -916,6 +916,7 @@
 		local s2s_ports = global:get_option_set("s2s_ports", {5269});
 		local c2s_tls_ports = global:get_option_set("c2s_direct_tls_ports", {});
 		local s2s_tls_ports = global:get_option_set("s2s_direct_tls_ports", {});
+		local use_dane = global:get_option_boolean("use_dane", true);
 
 		local global_enabled = set.new();
 		for host in enabled_hosts() do
@@ -1043,6 +1044,12 @@
 						if not ports:contains(record.srv.port) then
 							print("    SRV target " .. target .. " contains unknown " .. description .. " port: " .. record.srv.port);
 						end
+						if use_dane and res.secure then
+							local tlsa = dns.lookup("_"..record.srv.port.."._tcp."..target..".", "TLSA");
+							for i = 1, #tlsa do
+								print("    DANE: " .. tostring(tlsa[i]));
+							end
+						end
 					end
 				elseif required then
 					print("    No _" .. service .. " SRV record found for " .. domain .. ", but it looks like you need one.");