-
Notifications
You must be signed in to change notification settings - Fork 15
/
tlsa.1
145 lines (145 loc) · 5.42 KB
/
tlsa.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
'\" t
.\" Title: tlsa
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\" Date: December 7, 2015
.\" Manual: Internet / DNS
.\" Source: Paul Wouters
.\" Language: English
.\"
.TH "TLSA" "1" "December 7, 2015" "Paul Wouters" "Internet / DNS"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
tlsa \- Create and verify RFC\-6698 TLSA DNS records
.SH "SYNTAX"
.PP
tlsa [\fB\-h\fR] [\fB\-\-verify\fR] [\fB\-create\fR] [\fB\-\-version\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-\-insecure\fR] [\fB\-\-resolv\&.conf /PATH/TO/RESOLV\&.CONF\fR] [\fB\-\-port PORT\fR] [\fB\-\-starttls {auto,smtp,imap,pop3,ftp}\fR] [\fB\-\-protocol {tcp,udp,sctp}\fR] [\fB\-\-only\-rr\fR] [\fB\-\-rootkey /PATH/TO/ROOT\&.KEY\fR] [\fB\-\-ca\-cert /PATH/TO/CERTSTORE\fR] [\fB\-\-debug\fR] [\fB\-\-quiet\fR] [\fB\-\-certificate CERTIFICATE\fR] [\fB\-\-output {rfc,generic,both}\fR] [\fB\-\-usage {0,1,2,3}\fR] [\fB\-\-selector {0,1}\fR] [\fB\-mtype {0,1,2}\fR]
\fIhostname\fR
.SH "DESCRIPTION"
.PP
tlsa generates RFC\-6698 TLSA DNS records\&. To generate these records for older nameserver implementations that do not yet support the TLSA record, specify
\fI\-\-output generic\fR
to output the tlsa data in Generic Record (RFC\-3597) format\&. Records are generated by connecting to the website using SSL and grabbing the (EE) certificate and the CA chain\&. Depending on the type and selector used, this information is used to generate TLSA records\&. Currently\&. tlsa has no AXFR support for en\-mass TLSA record generation\&.
.SH "OPTIONS"
.PP
\fB\-\-create\fR
.RS 4
Create a TLSA record
.RE
.PP
\fB\-\-verify\fR
.RS 4
Verify a TLSA record
.RE
.PP
\fB\-\-protocol\fR tcp | udp | sctp
.RS 4
Use a specific transport protocol (default: tcp)
.RE
.PP
\fB\-\-resolvconf\fR FILE
.RS 4
Specify a custom resolv\&.conf file (default: /etc/resolv\&.conf)\&. Pass empty value (\-\-resolvconf="") to disable default\&.
.RE
.PP
\fB\-\-port\fR PORT
.RS 4
Use specified port (default: 443)
.RE
.PP
\fB\-\-starttls\fR no | smtp | imap | pop3 | ftp
.RS 4
Start script type for protocols which need special commands to start a TLS connection\&. Supported are \*(Aqftp\*(Aq (port 21), \*(Aqsmtp\*(Aq (port 25), \*(Aqpop3\*(Aq (port 110) and \*(Aqimap\*(Aq (port 143)\&. The default selects the type based on the port number\&. The value \*(Aqno\*(Aq overrides auto detection\&.
.RE
.PP
\fB\-\-only\-rr\fR
.RS 4
Only print the DNS TLSA record
.RE
.PP
\fB\-\-certificate\fR file\&.crt
.RS 4
Use specified certificate file, instead of retrieving the certificate from the server\&. Can be a single cert or a complete chain\&.
.RE
.PP
\fB\-\-ca\-cert\fR directory
.RS 4
Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)
.RE
.PP
\fB\-\-rootkey\fR filename
.RS 4
Use specified file to read the DNSSEC root key (in anchor or bind format)
.RE
.PP
\fB\-\-output\fR rfc | generic | both
.RS 4
Output format of TLSA record\&. "TLSA" for rfc, "TYPE52" for generic (default: rfc)
.RE
.PP
\fB\-\-usage\fR 0 | 1 | 2 | 3
.RS 4
Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3) (default: 3)
.RE
.PP
\fB\-\-selector\fR 0 | 1
.RS 4
The selector type describes what the type covers \- full certificate (0) or public key (1) (default: 0)
.RE
.PP
\fB\-\-mtype\fR 0 | 1 | 2
.RS 4
Type of the TLSA data\&. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)
.RE
.PP
If neither create or verify is specified, create is used\&.
.SH "REQUIREMENTS"
.PP
tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr
.SH "BUGS"
.PP
ipv4/ipv6 handling
.SH "EXAMPLES"
.PP
typical usage:
.PP
tlsa www\&.fedoraproject\&.org
.PP
tlsa \-\-verify \-4 nohats\&.ca
.PP
tlsa \-\-create \-\-insecure fedoraproject\&.org
.SH "SEE ALSO"
.PP
\fBsshfp\fR(1)\fB, ssh-keygen\fR(1) and RFC\-6698
.PP
\m[blue]\fBhttps://github\&.com/letoams/hash\-slinger\fR\m[]
.PP
\m[blue]\fBhttp://os3sec\&.org/\fR\m[]
.SH "AUTHORS"
.PP
Pieter Lexis <pieter\&.lexis@os3\&.nl>
.SH "COPYRIGHT"
.PP
Copyright 2012
.PP
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version\&. See <\m[blue]\fBhttp://www\&.fsf\&.org/copyleft/gpl\&.txt\fR\m[]>\&.
.PP
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License (file COPYING in the distribution) for more details\&.