1ldns-dane(1) General Commands Manual ldns-dane(1)
2
3
4
6 ldns-dane - verify or create TLS authentication with DANE (RFC6698)
7
9 ldns-dane [OPTIONS] verify name port
10 ldns-dane [OPTIONS] -t tlsafile verify
11
12 ldns-dane [OPTIONS] create name port
13 [ Certificate-usage [ Selector [ Matching-type ] ] ]
14
15 ldns-dane -h
16 ldns-dane -v
17
18
20 In the first form: A TLS connection to name:port is established. The
21 TLSA resource record(s) for name are used to authenticate the connec‐
22 tion.
23
24 In the second form: The TLSA record(s) are read from tlsafile and used
25 to authenticate the TLS service they reference.
26
27 In the third form: A TLS connection to name:port is established and
28 used to create the TLSA resource record(s) that would authenticate the
29 connection. The parameters for TLSA rr creation are:
30
31 Certificate-usage:
32 0 | PKIX-TA
33 CA constraint
34 1 | PKIX-EE
35 Service certificate constraint
36 2 | DANE-TA
37 Trust anchor assertion
38 3 | DANE-EE
39 Domain-issued certificate (default)
40
41 Selector:
42 0 | Cert
43 Full certificate
44 1 | SPKI
45 SubjectPublicKeyInfo (default)
46
47 Matching-type:
48 0 | Full
49 No hash used
50 1 | SHA2-256
51 SHA-256 (default)
52 2 | SHA2-512
53 SHA-512
54
55
57 -4 TLS connect IPv4 only
58
59 -6 TLS connect IPv6 only
60
61 -a address
62 Don't try to resolve name, but connect to address instead.
63
64 This option may be given more than once.
65
66 -b print "name. TYPE52 \# size hexdata" form instead of TLSA pre‐
67 sentation format.
68
69 -c certfile
70 Do not TLS connect to name:port, but authenticate (or make TLSA
71 records) for the certificate (chain) in certfile instead.
72
73 -d Assume DNSSEC validity even when the TLSA records were acquired
74 insecure or were bogus.
75
76 -f CAfile
77 Use CAfile to validate. Default is /etc/pki/tls/certs/ca-bun‐
78 dle.trust.crt
79
80 -h Print short usage help
81
82 -i Interact after connecting.
83
84 -k keyfile
85 Specify a file that contains a trusted DNSKEY or DS rr. Key(s)
86 are used when chasing signatures (i.e. -S is given).
87
88 This option may be given more than once.
89
90 Alternatively, if -k is not specified, and a default trust
91 anchor (/var/lib/unbound/root.key) exists and contains a valid
92 DNSKEY or DS record, it will be used as the trust anchor.
93
94 -n Do not verify server name in certificate.
95
96 -o offset
97 When creating a "Trust anchor assertion" TLSA resource record,
98 select the offsetth certificate offset from the end of the vali‐
99 dation chain. 0 means the last certificate, 1 the one but last,
100 2 the second but last, etc.
101
102 When offset is -1 (the default), the last certificate is used
103 (like with 0) that MUST be self-signed. This can help to make
104 sure that the intended (self signed) trust anchor is actually
105 present in the server certificate chain (which is a DANE
106 requirement).
107
108 -p CApath
109 Use certificates in the CApath directory to validate. Default is
110 /etc/pki/tls/certs/
111
112 -s When creating TLSA resource records with the "CA Constraint" and
113 the "Service Certificate Constraint" certificate usage, do not
114 validate and assume PKIX is valid.
115
116 For "CA Constraint" this means that verification should end with
117 a self-signed certificate.
118
119 -S Chase signature(s) to a known key.
120
121 Without this option, the local network is trusted to provide a
122 DNSSEC resolver (i.e. AD bit is checked).
123
124 -t tlsafile
125 Read TLSA record(s) from tlsafile. When name and port are also
126 given, only TLSA records that match the name, port and transport
127 are used. Otherwise the owner name of the TLSA record(s) will be
128 used to determine name, port and transport.
129
130 -T Return exit status 2 for PKIX validated connections without
131 (secure) TLSA records(s)
132
133 -u Use UDP transport instead of TCP.
134
135 -v Show version and exit.
136
137
139 /var/lib/unbound/root.key
140 The file from which trusted keys are loaded for signature chas‐
141 ing, when no -k option is given.
142
143
145 unbound-anchor(8)
146
147
149 Written by the ldns team as an example for ldns usage.
150
151
153 Report bugs to ldns-team@nlnetlabs.nl.
154
155
157 Copyright (C) 2012 NLnet Labs. This is free software. There is NO war‐
158 ranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
159 POSE.
160
161
162
163
164 17 September 2012 ldns-dane(1)