Problems creating a DANE record using API

Developers API
1

So I’m kinda stuck here.
I am trying to create a script that automatically creates DANE records using the latest Cloudflare Public Key and then publish it using the API.

#!/bin/bash

# Set these variables to your Cloudflare API key and email address
auth_key="your-api-key"
auth_email="your-email-address"

# Set these variables to your Cloudflare account ID and the zone ID for the domain
account_id="your-account-id"
zone_id="your-zone-id"

# Set this variable to the domain name
domain="www.example.com"

# Get the SSL/TLS certificate for the domain
certificate=$(echo | openssl s_client -connect $domain:443 2>/dev/null | openssl x509 -outform PEM)

# Extract the public key from the certificate
public_key=$(echo "$certificate" | openssl x509 -pubkey -noout)

# Encode the public key using base64
encoded_key=$(echo "$public_key" | base64 | tr -d '\n')

# Create the DANE record using the Cloudflare API
curl -X POST "https://api.cloudflare.com/client/v4/zones/$zone_id/dns_records" \
     -H "Content-Type: application/json" \
     -H "X-Auth-Key: $auth_key" \
     -H "X-Auth-Email: $auth_email" \
     -d "{\"type\":\"TLSA\",\"name\":\"_443._tcp.$domain\",\"content\":\"3 1 1 $encoded_key\",\"ttl\":3600}"

I get this response:

{"result":null,"success":false,"errors":[{"code":1004,"message":"DNS Validation Error","error_chain":[{"code":9101,"message":"usage is a required data field."}]}],"messages":[]}

thanks in advance

2

It sounds like the DNS record you are trying to send is invalid. I would try having curl with more verbose output to see what the DNS record looks like.

3

There you go m8:

https://github.com/websecnl/Cloudflare-DANE-Auto-Updater/

This will automatically update the TLSA record for you, since CF uses 90 days max certificates this means that for dane you have to change the TLSA record public key every 90 days as well. just run this script in a cronjob every 1 month or so and you should be fine :slight_smile: