1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
<refentry id='tlsa'>
<refentryinfo><date>December 7, 2015</date></refentryinfo>
<refmeta>
<refentrytitle>tlsa</refentrytitle>
<manvolnum>1</manvolnum>
<refmiscinfo class='date'>December 7, 2015</refmiscinfo>
<refmiscinfo class='source'>Paul Wouters</refmiscinfo>
<refmiscinfo class='manual'>Internet / DNS</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>tlsa</refname>
<refpurpose>Create and verify RFC-6698 TLSA DNS records</refpurpose>
</refnamediv>
<!-- body begins here -->
<refsect1 id='syntax'><title>SYNTAX</title>
<para>tlsa [<option>-h</option>] [<option>--verify</option>] [<option>-create</option>] [<option>--version</option>]
[<option>-4</option>] [<option>-6</option><option>--insecure</option>]
[<option>--resolv.conf /PATH/TO/RESOLV.CONF</option>]
[<option>--port PORT</option>] [<option>--starttls {auto,smtp,imap,pop3,ftp}</option>]
[<option>--protocol {tcp,udp,sctp}</option>] [<option>--ponly-rr</option>]
[<option>--rootkey /PATH/TO/ROOT.KEY</option>]
[<option>--ca-cert /PATH/TO/CERTSTORE</option>]
[<option>--debug</option>] [<option>--quiet</option>] [<option>--certificate CERTIFICATE</option>]
[<option>--output {rfc,generic,both}</option>] [<option>--usage {0,1,2,3}</option>]
[<option>--selector {0,1}</option>] [<option>-mtype {0,1,2}</option>]
<emphasis remap='I'>hostname</emphasis>
<!-- .br -->
</para>
</refsect1>
<refsect1 id='description'><title>DESCRIPTION</title>
<para>tlsa generates RFC-6698 TLSA DNS records. To generate these records for older nameserver
implementations that do not yet support the TLSA record, specify <emphasis remap='I'>--output generic</emphasis>
to output the tlsa data in Generic Record (RFC-3597) format. Records are generated by connecting to the website using SSL and grabbing the (EE) certificate and the CA chain. Depending on the type and selector used, this information is used
to generate TLSA records. Currently. tlsa has no AXFR support for en-mass TLSA record generation.
</para>
</refsect1>
<refsect1 id='options'><title>OPTIONS</title>
<variablelist remap='TP'>
<varlistentry>
<term><option>--create</option> </term>
<listitem>
<para>Create a TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--verify</option> </term>
<listitem>
<para>Verify a TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--protocol</option> tcp | udp | sctp</term>
<listitem>
<para>Use a specific transport protocol (default: tcp)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--resolvconf</option> FILE</term>
<listitem>
<para>Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass empty value (--resolvconf="") to disable default.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--port</option> PORT</term>
<listitem>
<para>Use specified port (default: 443)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--starttls</option> no | smtp | imap | pop3 | ftp</term>
<listitem>
<para>Start script type for protocols which need special commands to start a TLS connection. Supported are
'ftp' (port 21), 'smtp' (port 25), 'pop3' (port 110) and 'imap' (port 143). The default selects the type
based on the port number. The value 'no' overrides auto detection.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--only-rr</option></term>
<listitem>
<para>Only print the DNS TLSA record</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--certificate</option> file.crt</term>
<listitem>
<para>Use specified certificate file, instead of retrieving the certificate from the server. Can be a single cert or a complete chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--ca-cert</option> directory</term>
<listitem>
<para>Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--rootkey</option> filename</term>
<listitem>
<para>Use specified file to read the DNSSEC root key (in anchor or bind format)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--output</option> rfc | generic | both </term>
<listitem>
<para>Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic (default: rfc)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--usage</option> 0 | 1 | 2 | 3</term>
<listitem>
<para>Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3) (default: 3) </para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--selector</option> 0 | 1</term>
<listitem>
<para>The selector type describes what the type covers - full certificate (0) or public key (1) (default: 0)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><option>--mtype</option> 0 | 1 | 2</term>
<listitem>
<para>Type of the TLSA data. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)</para>
</listitem>
</varlistentry>
</variablelist>
<para>If neither create or verify is specified, create is used.</para>
</refsect1>
<refsect1 id='requirements'><title>REQUIREMENTS</title>
<para>tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr</para>
</refsect1>
<refsect1 id='bugs'><title>BUGS</title>
<para>ipv4/ipv6 handling</para>
</refsect1>
<refsect1 id='examples'><title>EXAMPLES</title>
<para>typical usage:</para>
<para>tlsa www.fedoraproject.org</para>
<para>tlsa --verify -4 nohats.ca </para>
<para>tlsa --create --insecure fedoraproject.org</para>
</refsect1>
<refsect1 id='see_also'><title>SEE ALSO</title>
<para><citerefentry><refentrytitle>sshfp</refentrytitle><manvolnum>1</manvolnum></citerefentry> <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>and RFC-6698</para>
<para><ulink url='http://people.redhat.com/pwouters/hash-slinger/'>http://people.redhat.com/pwouters/hash-slinger/</ulink></para>
<para><ulink url='http://os3sec.org/'>http://os3sec.org/</ulink></para>
</refsect1>
<refsect1 id='authors'><title>AUTHORS</title>
<para>Pieter Lexis <pieter.lexis@os3.nl></para>
</refsect1>
<refsect1 id='copyright'><title>COPYRIGHT</title>
<para>Copyright 2012</para>
<para>This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; either version 2 of the License, or (at your
option) any later version. See <<ulink url='http://www.fsf.org/copyleft/gpl.txt'>http://www.fsf.org/copyleft/gpl.txt</ulink>>.</para>
<para>This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
Public License (file COPYING in the distribution) for more details.</para>
</refsect1>
</refentry>
|
