Provided by: hash-slinger_2.6-1_amd64 bug

NAME

       tlsa - Create and verify RFC-6698 TLSA DNS records

SYNTAX

       tlsa [-h] [--verify] [-create] [--version] [-4] [-6--insecure] [--resolv.conf
       /PATH/TO/RESOLV.CONF] [--port PORT] [--protocol {tcp,udp,sctp}] [--ponly-rr] [--ca-cert
       /PATH/TO/CERTSTORE ] [--rootkey /PATH/TO/ROOT.KEY ] [--quiet] [--certificate CERTIFICATE ]
       [--output {rfc,generic,both}] [-usage {0,1,2,3} ] [--selector {0,1}] [-mtype {0,1,2} ]
       hostname

DESCRIPTION

       tlsa generates RFC-6698 TLSA DNS records. To generate these records for older nameserver
       implementations that do not yet support the TLSA record, specify --output generic to
       output the tlsa data in Generic Record (RFC-3597) format. Records are generated by
       connecting to the website using SSL and grabbing the (EE) certificate and the CA chain.
       Depending on the type and selector used, this information is used to generate TLSA
       records. Currently. tlsa has no AXFR support for en-mass TLSA record generation.

OPTIONS

       --create
           Create a TLSA record

       --verify
           Verify a TLSA record

       --protocol tcp | udp | sctp
           Use a specific transport protocol (default: tcp)

       --resolvconf FILE
           Specify a custom resolv.conf file (default: /etc/resolv.conf)

       --port PORT
           Use specified port (default: 443)

       --only-rr
           Only print the DNS TLSA record

       --certificate file.crt
           Use specified certificate file, instead of retrieving the certificate from the server

       --ca-cert directory
           Use specified directory containing CA bundles for CA validation
           (default:/etc/pki/tls/certs)

       --rootkey filename
           Use specified file to read the DNSSEC root key (in anchor or bind format)

       --output rfc | generic | both
           Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic (default: rfc)

       --usage0 | 1 | 2 | 3
           Usage type: public CA (0), EE match validated by public CA (1), private CA (2),
           private EE (3) (default:3)

       --selector0 | 1
           The selector type describes what the type covers - full certificate (0) or public key
           (1) (default:0)

       --mtype0 | 1 | 2
           Type of the TLSA data. Exact match on content (0), SHA256 (1) or SHA512 (2)
           (default:0)

       If neither create or verify is specified, create is used.

REQUIREMENTS

       tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr

BUGS

       ipv4/ipv6 handling

EXAMPLES

       typical usage:

       tlsa www.fedoraproject.org

       tlsa --verify -4 nohats.ca

       tlsa --create --insecure fedoraproject.org

SEE ALSO

       sshfp(1)ssh-keygen(1)and RFC-6698

       http://people.redhat.com/pwouters/hash-slinger/

       http://os3sec.org/

AUTHORS

       Pieter Lexis <pieter.lexis@os3.nl>

COPYRIGHT

       Copyright 2012

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation; either
       version 2 of the License, or (at your option) any later version. See
       <http://www.fsf.org/copyleft/gpl.txt>.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License (file COPYING in the distribution) for more details.