# HG changeset patch # User Kim Alvefur # Date 1781298489 -7200 # Node ID 59c50c76860b1f9072e06232f2694f408d7422d9 # Parent 8664225874860b0a8bdcb833f0ecf2077135cf6d util.prosodyctl.check: Show TLSA records in DNS Doesn't yet check that these match your certificates, but can be compared to 'check certs' diff -r 866422587486 -r 59c50c76860b util/prosodyctl/check.lua --- a/util/prosodyctl/check.lua Fri Jun 12 16:43:44 2026 +0200 +++ b/util/prosodyctl/check.lua Fri Jun 12 23:08:09 2026 +0200 @@ -916,6 +916,7 @@ local s2s_ports = global:get_option_set("s2s_ports", {5269}); local c2s_tls_ports = global:get_option_set("c2s_direct_tls_ports", {}); local s2s_tls_ports = global:get_option_set("s2s_direct_tls_ports", {}); + local use_dane = global:get_option_boolean("use_dane", true); local global_enabled = set.new(); for host in enabled_hosts() do @@ -1043,6 +1044,12 @@ if not ports:contains(record.srv.port) then print(" SRV target " .. target .. " contains unknown " .. description .. " port: " .. record.srv.port); end + if use_dane and res.secure then + local tlsa = dns.lookup("_"..record.srv.port.."._tcp."..target..".", "TLSA"); + for i = 1, #tlsa do + print(" DANE: " .. tostring(tlsa[i])); + end + end end elseif required then print(" No _" .. service .. " SRV record found for " .. domain .. ", but it looks like you need one.");