1ldns-dane(1)                General Commands Manual               ldns-dane(1)
2
3
4

NAME

6       ldns-dane - verify or create TLS authentication with DANE (RFC6698)
7

SYNOPSIS

9       ldns-dane [OPTIONS] verify name port
10       ldns-dane [OPTIONS] -t tlsafile verify
11
12       ldns-dane [OPTIONS] create name port
13                 [ Certificate-usage [ Selector [ Matching-type ] ] ]
14
15       ldns-dane -h
16       ldns-dane -v
17
18

DESCRIPTION

20       In  the  first form: A TLS connection to name:port is established.  The
21       TLSA resource record(s) for name are used to authenticate  the  connec‐
22       tion.
23
24       In  the second form: The TLSA record(s) are read from tlsafile and used
25       to authenticate the TLS service they reference.
26
27       In the third form: A TLS connection to  name:port  is  established  and
28       used  to create the TLSA resource record(s) that would authenticate the
29       connection.  The parameters for TLSA rr creation are:
30
31       Certificate-usage:
32              0 | PKIX-TA
33                     CA constraint
34              1 | PKIX-EE
35                     Service certificate constraint
36              2 | DANE-TA
37                     Trust anchor assertion
38              3 | DANE-EE
39                     Domain-issued certificate (default)
40
41       Selector:
42              0 | Cert
43                     Full certificate
44              1 | SPKI
45                     SubjectPublicKeyInfo (default)
46
47       Matching-type:
48              0 | Full
49                     No hash used
50              1 | SHA2-256
51                     SHA-256 (default)
52              2 | SHA2-512
53                     SHA-512
54
55

OPTIONS

57       -4     TLS connect IPv4 only
58
59       -6     TLS connect IPv6 only
60
61       -a address
62              Don't try to resolve name, but connect to address instead.
63
64              This option may be given more than once.
65
66       -b     print "name. TYPE52 \# size hexdata" form instead of  TLSA  pre‐
67              sentation format.
68
69       -c certfile
70              Do  not TLS connect to name:port, but authenticate (or make TLSA
71              records) for the certificate (chain) in certfile instead.
72
73       -d     Assume DNSSEC validity even when the TLSA records were  acquired
74              insecure or were bogus.
75
76       -f CAfile
77              Use  CAfile  to  validate. Default is /etc/pki/tls/certs/ca-bun‐
78              dle.trust.crt
79
80       -h     Print short usage help
81
82       -i     Interact after connecting.
83
84       -k keyfile
85              Specify a file that contains a trusted DNSKEY or DS rr.   Key(s)
86              are used when chasing signatures (i.e. -S is given).
87
88              This option may be given more than once.
89
90              Alternatively,  if  -k  is  not  specified,  and a default trust
91              anchor (/var/lib/unbound/root.key) exists and contains  a  valid
92              DNSKEY or DS record, it will be used as the trust anchor.
93
94       -n     Do not verify server name in certificate.
95
96       -o offset
97              When  creating  a "Trust anchor assertion" TLSA resource record,
98              select the offsetth certificate offset from the end of the vali‐
99              dation  chain. 0 means the last certificate, 1 the one but last,
100              2 the second but last, etc.
101
102              When offset is -1 (the default), the last  certificate  is  used
103              (like  with  0)  that MUST be self-signed. This can help to make
104              sure that the intended (self signed) trust  anchor  is  actually
105              present  in  the  server  certificate  chain  (which  is  a DANE
106              requirement).
107
108       -p CApath
109              Use certificates in the CApath directory to validate. Default is
110              /etc/pki/tls/certs/
111
112       -s     When creating TLSA resource records with the "CA Constraint" and
113              the "Service Certificate Constraint" certificate usage,  do  not
114              validate and assume PKIX is valid.
115
116              For "CA Constraint" this means that verification should end with
117              a self-signed certificate.
118
119       -S     Chase signature(s) to a known key.
120
121              Without this option, the local network is trusted to  provide  a
122              DNSSEC resolver (i.e. AD bit is checked).
123
124       -t tlsafile
125              Read  TLSA  record(s) from tlsafile. When name and port are also
126              given, only TLSA records that match the name, port and transport
127              are used. Otherwise the owner name of the TLSA record(s) will be
128              used to determine name, port and transport.
129
130       -T     Return exit status 2  for  PKIX  validated  connections  without
131              (secure) TLSA records(s)
132
133       -u     Use UDP transport instead of TCP.
134
135       -v     Show version and exit.
136
137

FILES

139       /var/lib/unbound/root.key
140              The  file from which trusted keys are loaded for signature chas‐
141              ing, when no -k option is given.
142
143

SEE ALSO

145       unbound-anchor(8)
146
147

AUTHOR

149       Written by the ldns team as an example for ldns usage.
150
151

REPORTING BUGS

153       Report bugs to ldns-team@nlnetlabs.nl.
154
155

COPYRIGHT

157       Copyright (C) 2012 NLnet Labs. This is free software. There is NO  war‐
158       ranty;  not  even  for MERCHANTABILITY or FITNESS FOR A PARTICULAR PUR‐
159       POSE.
160
161
162
163
164                               17 September 2012                  ldns-dane(1)