1IPSEC LWDNSQ(8) [FIXME: manual] IPSEC LWDNSQ(8)
2
6 lwdnsq - lookup items in DNS to help pluto (and others)
7
9 ipsec lwdnsq [--help] [--prompt] [--serial] [--debug] [--log logfile]
10 [--regress] [--ignoreeof]
11
14 The ipsec lwdnsq is a helper program that does DNS lookups for other
15 programs. It implements an asynchronous interface on stdin/stdout, with
16 an ASCII driven command language.
17 If stdin is a tty or if the --prompt option is given, then it issues a
19 prompt to the user. Otherwise, it is silent, except for results.
20 The program will accept multiple queries concurrently, with each result
22 being marked with the ID provided on the output. The IDs are strings.
23 If the --serial option is given, then the program will not attempt to
25 execute concurrent queries, but will serialize all input and output.
26
28 There are twelve commands that the program understands. This is to
29 lookup different types of records in both the forward and reverse maps.
30 Every query includes a queryid, which is returned in the output, on
31 every single line to identify the transaction.
32 HELP
34 This request lists the available commands
35 QUIT
37 This request causes lwdnsq to quit.
38 DEBUG
40 This request enables debugging.
41 KEY queryid FQDN
43 This request looks up the KEY resource record for the given FQDN..
44 KEY4 queryid A.B.C.D
46 This request looks up the KEY resource record found in the reverse map
47 for the IP version 4 address A.B.C.D, i.e. it looks up
48 D.C.B.A.in-addr.arpa.
49 KEY6 queryid A:B::C:D
51 This request looks up the KEY resource record found in the reverse map
52 for the IPv6 address A:B::C:D, i.e. it looks the 32-nibble long entry
53 in ip6.arpa (and ip6.int).
54 TXT queryid A.B.C.D
56 This request looks up the TXT resource record found[?]
57 TXT4 queryid A.B.C.D
59 This request looks up the TXT resource record found in the reverse map
60 for the IP version 4 address A.B.C.D, i.e. it looks up
61 D.C.B.A.in-addr.arpa.
62 TXT6 queryid A:B::C:D
64 This request looks up the TXT resource record found in the reverse map
65 for the IPv6 address A:B::C:D, i.e. it looks the 32-nibble long entry
66 in ip6.arpa (and ip6.int).
67 KEY queryid FQDN
69 This request looks up the IPSECKEY resource record for the given FQDN..
70 See note about IPSECKEY processing, below.
71 IPSECKEY queryid A.B.C.D
73 This request looks up the IPSECKEY resource record found in the reverse
74 map[?]
75 IPSECKEY4 queryid A.B.C.D
77 This request looks up the IPSECKEY resource record found in the reverse
78 map for the IP version 4 address A.B.C.D, i.e. it looks up
79 D.C.B.A.in-addr.arpa. See special note about IPSECKEY processing,
80 below.
81 IPSECKEY6 queryid A:B::C:D
83 This request looks up the IPSECKEY resource record found in the reverse
84 map for the IPv6 address A:B::C:D, i.e. it looks the 32-nibble long
85 entry in ip6.arpa (and ip6.int). See special note about IPSECKEY
86 processing, below.
87 OE4 queryid A.B.C.D
89 This request looks an appropriate record for Opportunistic Encryption
90 for the given IP address. This attempts to look for the delegation
91 record. This may be one of IPSECKEY, KEY, or TXT record. Unless
92 configured otherwise, (see OE4 Directives, below), then a query type of
93 ANY will be used to retrieve all relevant records, and all will be
94 returned.
95 OE6 queryid A:B::C:D
97 This request looks an appropriate record for Opportunistic Encryption
98 for the given IPv6 address. This attempts to look for the delegation
99 record. This may be one of IPSECKEY, KEY, or TXT record. Unless
100 configured otherwise, (see OE Directives, below), then a query type of
101 ALL will be used to retrieve all relevant records, and all will be
102 returned. i.e. it looks the 32-nibble long entry in ip6.arpa (and
103 ip6.int).
104 A queryid FQDN
106 This request looks up the A (IPv4) resource record for the given FQDN..
107 AAAA queryid FQDN
109 This request looks up the AAAA (IPv6) resource record for the given
110 FQDN..
111 VPN4
113 synonomous for KEY4
114 VPN6
116 synonomous for KEY6
117
119 All replies from the queries are in the following format:
120 <ID> <TIME> <TTL> <TYPE> <TYPE-SPECIFIC> \n
123 ID
126 this is the queryid value that was provided in the query. It is
127 repeated on every line to permit the replies to be properly
128 associated with the query. When the response is not ascribable to
129 particular query (such as for a mis-formed query), then the query
130 ID "0" will be used.
131 TIME
133 this is the current time in seconds since epoch.
134 TTL
136 for answers which have a time to live, this is the current value.
137 The answer is valid for this number of seconds. If there is no
138 useful value here, then the number 0 is used.
139 TYPE
141 This is the type of the record that is being returned. The types
142 are described in the next section. The TYPE specific data that
143 follows is specific to the type.
144 The replies are limited to 4096 bytes, a value defined as
146 LWDNSQ_RESULT_LEN_MAX. This is defined in freeswan.h.
147 All of the replies which include resource records use the standard
149 presentation format (with no line feeds or carriage returns) in their
150 answer.
151 START
153 This reply indicates that a query has been received and has been
154 started. It serves as an anchor point for timing, as well as an
155 acknowledgement.
156 DONE
158 This reply indicates that a query is entirely over, and no further
159 information from this query will be sent.
160 RETRY
162 This reply indicates that a query is entirely over, but that no data
163 was found. The records may exist, but appropriate servers could not be
164 reached.
165 FATAL
167 This reply indicates that a query is entirely over, and that no data of
168 the type requested could be found. There were no timeouts, and all
169 servers were available and confirmed non-existances. There may be NXT
170 records returned prior to this.
171 CNAME
173 This is an interim reply, and indicates that a CNAME was found (and
174 followed) while performing the query. The value of the CNAME is present
175 in the type specific section.
176 CNAMEFROM
178 This is an interim reply, and indicates that a CNAME was found. The
179 original name that was queries for was not the canonical name, and this
180 reply indicates the name that was actually followed.
181 NAME
183 This is an interim reply. The original name that was queries for was
184 not the canonical name. This reply indicates the canonical name.
185 DNSSEC
187 This is an interim reply. It is followed either by "OKAY" or "not
188 present. It indicates if DNSSEC was available on the reply.
189 TXT and AD-TXT
191 This is an interim reply. If there are TXT resource records in the
192 reply, then each one is presented using this type. If preceded by AD-,
193 then this record was signed with DNSSEC.
194 A and AD-A
196 This is an interim reply. If there are A resource records in the reply,
197 then each one is presented using this type. If preceded by AD-, then
198 this record was signed with DNSSEC.
199 AAAA and AD-AAAA
201 This is an interim reply. If there are AAAA resource records in the
202 reply, then each one is presented using this type. If preceded by AD-,
203 then this record was signed with DNSSEC.
204 PTR and AD-PTR
206 This is an interim reply. If there are PTR resource records in the
207 reply, then each one is presented using this type. If preceded by AD-,
208 then this record was signed with DNSSEC.
209 KEY and AD-KEY
211 This is an interim reply. If there are KEY resource records in the
212 reply, then each one is presented using this type. If preceded by AD-,
213 then this record was signed with DNSSEC.
214 IPSECKEY and AD-IPSECKEY
216 This is an interim reply. If there are IPSEC resource records in the
217 reply, then each one is presented using this type. If preceded by AD-,
218 then this record was signed with DNSSEC.
219
221 At the time of this writing, the IPSECKEY resource record is not
222 entirely specified. In particular no resource record number has been
223 assigned. This program assumes that it is resource record number 45. If
224 the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like
225 ipseckey_rr=number
228 then this number will be used instead. The file is read only once at
231 startup.
232
234 If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like
235 queryany=false
238 then instead of doing an ALL query when looking for OE delegation
241 records, lwdnsq will do a series of queries. It will first look for
242 IPSECKEY, and then TXT record. If it finds neither, it will then look
243 for KEY records of all kinds, although they do not contain delegation
244 information.
245
247 /etc/ipsec.d/lwdnsq.conf
248
251 Not all listed commands are actually implemented.
252
254 Michael Richardson <mcr@sandelman.ottawa.on.ca>.
255[FIXME: source] 10/06/2010 IPSEC LWDNSQ(8)