1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry id='tlsa'>
<refentryinfo><date>December 7, 2015</date></refentryinfo>
<refmeta>
<refentrytitle>tlsa</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class='date'>December 7, 2015</refmiscinfo>
<refmiscinfo class='source'>Paul Wouters</refmiscinfo>
<refmiscinfo class='manual'>Internet / DNS</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>tlsa</refname>
<refpurpose>Create and verify RFC-6698 TLSA DNS records</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsect1 id='syntax'><title>SYNTAX</title>
<para>tlsa [<option>-h</option>] [<option>--verify</option>] [<option>-create</option>] [<option>--version</option>]
[<option>-4</option>] [<option>-6</option><option>--insecure</option>]
[<option>--resolv.conf /PATH/TO/RESOLV.CONF</option>]
[<option>--port PORT</option>] [<option>--starttls {auto,smtp,imap,pop3,ftp}</option>]
[<option>--protocol {tcp,udp,sctp}</option>] [<option>--ponly-rr</option>]
[<option>--rootkey /PATH/TO/ROOT.KEY</option>]
[<option>--ca-cert /PATH/TO/CERTSTORE</option>]
[<option>--debug</option>] [<option>--quiet</option>] [<option>--certificate CERTIFICATE</option>]
[<option>--output {rfc,generic,both}</option>] [<option>--usage {0,1,2,3}</option>]
[<option>--selector {0,1}</option>] [<option>-mtype {0,1,2}</option>]
<emphasis remap='I'>hostname</emphasis>
<!-- .br -->
</para>
</refsect1>
<refsect1 id='description'><title>DESCRIPTION</title>
<para>tlsa generates RFC-6698 TLSA DNS records. To generate these records for older nameserver
implementations that do not yet support the TLSA record, specify <emphasis remap='I'>--output generic</emphasis>
to output the tlsa data in Generic Record (RFC-3597) format. Records are generated by connecting to the website using SSL and grabbing the (EE) certificate and the CA chain. Depending on the type and selector used, this information is used
to generate TLSA records. Currently. tlsa has no AXFR support for en-mass TLSA record generation.
</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<variablelist remap='TP'>
<varlistentry>
<term><option>--create</option> </term>
<listitem>
<para>Create a TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--verify</option> </term>
<listitem>
<para>Verify a TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--protocol</option> tcp | udp | sctp</term>
<listitem>
<para>Use a specific transport protocol (default: tcp)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--resolvconf</option> FILE</term>
<listitem>
<para>Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass empty value (--resolvconf="") to disable default.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--port</option> PORT</term>
<listitem>
<para>Use specified port (default: 443)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--starttls</option> no | smtp | imap | pop3 | ftp</term>
<listitem>
<para>Start script type for protocols which need special commands to start a TLS connection. Supported are
'ftp' (port 21), 'smtp' (port 25), 'pop3' (port 110) and 'imap' (port 143). The default selects the type
based on the port number. The value 'no' overrides auto detection.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--only-rr</option></term>
<listitem>
<para>Only print the DNS TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--certificate</option> file.crt</term>
<listitem>
<para>Use specified certificate file, instead of retrieving the certificate from the server. Can be a single cert or a complete chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--ca-cert</option> directory</term>
<listitem>
<para>Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--rootkey</option> filename</term>
<listitem>
<para>Use specified file to read the DNSSEC root key (in anchor or bind format)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--output</option> rfc | generic | both </term>
<listitem>
<para>Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic (default: rfc)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--usage</option> 0 | 1 | 2 | 3</term>
<listitem>
<para>Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3) (default: 3) </para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--selector</option> 0 | 1</term>
<listitem>
<para>The selector type describes what the type covers - full certificate (0) or public key (1) (default: 0)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--mtype</option> 0 | 1 | 2</term>
<listitem>
<para>Type of the TLSA data. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)</para>
</listitem>
</varlistentry>
</variablelist>
<para>If neither create or verify is specified, create is used.</para>
</refsect1>
<refsect1 id='requirements'><title>REQUIREMENTS</title>
<para>tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr</para>
</refsect1>
<refsect1 id='bugs'><title>BUGS</title>
<para>ipv4/ipv6 handling</para>
</refsect1>
<refsect1 id='examples'><title>EXAMPLES</title>
<para>typical usage:</para>
<para>tlsa www.fedoraproject.org</para>
<para>tlsa --verify -4 nohats.ca </para>
<para>tlsa --create --insecure fedoraproject.org</para>
</refsect1>
<refsect1 id='see_also'><title>SEE ALSO</title>
<para><citerefentry><refentrytitle>sshfp</refentrytitle><manvolnum>1</manvolnum></citerefentry> <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>and RFC-6698</para>
<para><ulink url='http://people.redhat.com/pwouters/hash-slinger/'>http://people.redhat.com/pwouters/hash-slinger/</ulink></para>
<para><ulink url='http://os3sec.org/'>http://os3sec.org/</ulink></para>
</refsect1>
<refsect1 id='authors'><title>AUTHORS</title>
<para>Pieter Lexis <pieter.lexis@os3.nl></para>
</refsect1>
<refsect1 id='copyright'><title>COPYRIGHT</title>
<para>Copyright 2012</para>
<para>This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <<ulink url='http://www.fsf.org/copyleft/gpl.txt'>http://www.fsf.org/copyleft/gpl.txt</ulink>>.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.</para>
</refsect1>
</refentry>
|