xenial (1) ldns-dane.1.gz

Provided by: ldnsutils_1.6.17-8ubuntu0.1_amd64 bug

NAME

       ldns-dane - verify or create TLS authentication with DANE (RFC6698)

SYNOPSIS

       ldns-dane [OPTIONS] verify name port
       ldns-dane [OPTIONS] -t tlsafile verify

       ldns-dane [OPTIONS] name port create
                 [ Certificate-usage [ Selector [ Matching-type ] ] ]

       ldns-dane -h
       ldns-dane -v

DESCRIPTION

       In  the  first  form: A TLS connection to name:port is established.  The TLSA resource record(s) for name
       are used to authenticate the connection.

       In the second form: The TLSA record(s) are read from tlsafile and used to authenticate  the  TLS  service
       they reference.

       In  the  third  form:  A  TLS connection to name:port is established and used to create the TLSA resource
       record(s) that would authenticate the connection.  The parameters for TLSA rr creation are:

       Certificate-usage:
              0      CA constraint
              1      Service certificate constraint
              2      Trust anchor assertion
              3      Domain-issued certificate (default)

       Selector:
              0      Full certificate (default)
              1      SubjectPublicKeyInfo

       Matching-type:
              0      No hash used
              1      SHA-256 (default)
              2      SHA-512

       In stead of numbers the first few letters of the value may be used.  Except for the hash algorithm  name,
       where the full name must be specified.

OPTIONS

       -4     TLS connect IPv4 only

       -6     TLS connect IPv6 only

       -a address
              Don't try to resolve name, but connect to address instead.

              This option may be given more than once.

       -b     print "name. TYPE52 \# size hexdata" form instead of TLSA presentation format.

       -c certfile
              Do  not  TLS  connect  to  name:port,  but authenticate (or make TLSA records) for the certificate
              (chain) in certfile instead.

       -d     Assume DNSSEC validity even when the TLSA records were acquired insecure or were bogus.

       -f CAfile
              Use CAfile to validate.

       -h     Print short usage help

       -i     Interact after connecting.

       -k keyfile
              Specify a file that contains a trusted DNSKEY or DS rr.  Key(s) are used when  chasing  signatures
              (i.e. -S is given).

              This option may be given more than once.

              Alternatively,  if  -k is not specified, and a default trust anchor (/etc/unbound/root.key) exists
              and contains a valid DNSKEY or DS record, it will be used as the trust anchor.

       -n     Do not verify server name in certificate.

       -o offset
              When creating a "Trust anchor assertion" TLSA resource record,  select  the  offsetth  certificate
              offset  from  the end of the validation chain. 0 means the last certificate, 1 the one but last, 2
              the second but last, etc.

              When offset is -1 (the default), the last certificate is used (like with 0)  that  MUST  be  self-
              signed.  This  can  help  to  make  sure  that the intended (self signed) trust anchor is actually
              present in the server certificate chain (which is a DANE requirement).

       -p CApath
              Use certificates in the CApath directory to validate.

       -s     When creating TLSA resource  records  with  the  "CA  Constraint"  and  the  "Service  Certificate
              Constraint" certificate usage, do not validate and assume PKIX is valid.

              For "CA Constraint" this means that verification should end with a self-signed certificate.

       -S     Chase signature(s) to a known key.

              Without  this  option,  the  local network is trusted to provide a DNSSEC resolver (i.e. AD bit is
              checked).

       -t tlsafile
              Read TLSA record(s) from tlsafile. When name and port are also given, only TLSA records that match
              the name, port and transport are used. Otherwise the owner name of the TLSA record(s) will be used
              to determine name, port and transport.

       -T     Return exit status 2 for PKIX validated connections without (secure) TLSA records(s)

       -u     Use UDP transport instead of TCP.

       -v     Show version and exit.

FILES

       /etc/unbound/root.key
              The file from which trusted keys are loaded for signature chasing, when no -k option is given.

SEE ALSO

       unbound-anchor(8)

AUTHOR

       Written by the ldns team as an example for ldns usage.

REPORTING BUGS

       Report bugs to ldns-team@nlnetlabs.nl.

       Copyright (C) 2012 NLnet Labs. This is free software. There is NO warranty; not even for  MERCHANTABILITY
       or FITNESS FOR A PARTICULAR PURPOSE.

                                                17 September 2012                                   ldns-dane(1)