1TLSA(1)                         Internet / DNS                         TLSA(1)
2
3
4

NAME

6       tlsa - Create and verify RFC-6698 TLSA DNS records
7

SYNTAX

9       tlsa [-h] [--verify] [-create] [--version] [-4] [-6] [--insecure]
10       [--resolv.conf /PATH/TO/RESOLV.CONF] [--port PORT] [--starttls
11       {auto,smtp,imap,pop3,ftp}] [--protocol {tcp,udp,sctp}] [--only-rr]
12       [--rootkey /PATH/TO/ROOT.KEY] [--ca-cert /PATH/TO/CERTSTORE] [--debug]
13       [--quiet] [--certificate CERTIFICATE] [--output {rfc,generic,both}]
14       [--usage {0,1,2,3}] [--selector {0,1}] [-mtype {0,1,2}] hostname
15

DESCRIPTION

17       tlsa generates RFC-6698 TLSA DNS records. To generate these records for
18       older nameserver implementations that do not yet support the TLSA
19       record, specify --output generic to output the tlsa data in Generic
20       Record (RFC-3597) format. Records are generated by connecting to the
21       website using SSL and grabbing the (EE) certificate and the CA chain.
22       Depending on the type and selector used, this information is used to
23       generate TLSA records. Currently. tlsa has no AXFR support for en-mass
24       TLSA record generation.
25

OPTIONS

27       --create
28           Create a TLSA record
29
30       --verify
31           Verify a TLSA record
32
33       --protocol tcp | udp | sctp
34           Use a specific transport protocol (default: tcp)
35
36       --resolvconf FILE
37           Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass
38           empty value (--resolvconf="") to disable default.
39
40       --port PORT
41           Use specified port (default: 443)
42
43       --starttls no | smtp | imap | pop3 | ftp
44           Start script type for protocols which need special commands to
45           start a TLS connection. Supported are 'ftp' (port 21), 'smtp' (port
46           25), 'pop3' (port 110) and 'imap' (port 143). The default selects
47           the type based on the port number. The value 'no' overrides auto
48           detection.
49
50       --only-rr
51           Only print the DNS TLSA record
52
53       --certificate file.crt
54           Use specified certificate file, instead of retrieving the
55           certificate from the server. Can be a single cert or a complete
56           chain.
57
58       --ca-cert directory
59           Use specified directory containing CA bundles for CA validation
60           (default: /etc/pki/tls/certs)
61
62       --rootkey filename
63           Use specified file to read the DNSSEC root key (in anchor or bind
64           format)
65
66       --output rfc | generic | both
67           Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic
68           (default: rfc)
69
70       --usage 0 | 1 | 2 | 3
71           Usage type: public CA (0), EE match validated by public CA (1),
72           private CA (2), private EE (3) (default: 3)
73
74       --selector 0 | 1
75           The selector type describes what the type covers - full certificate
76           (0) or public key (1) (default: 0)
77
78       --mtype 0 | 1 | 2
79           Type of the TLSA data. Exact match on content (0), SHA256 (1) or
80           SHA512 (2) (default: 0)
81
82       If neither create or verify is specified, create is used.
83

REQUIREMENTS

85       tlsa requires the following python libraries: unbound, m2crypto,
86       argparse and ipaddr
87

BUGS

89       ipv4/ipv6 handling
90

EXAMPLES

92       typical usage:
93
94       tlsa www.fedoraproject.org
95
96       tlsa --verify -4 nohats.ca
97
98       tlsa --create --insecure fedoraproject.org
99

SEE ALSO

101       sshfp(1)ssh-keygen(1)and RFC-6698
102
103       http://people.redhat.com/pwouters/hash-slinger/
104
105       http://os3sec.org/
106

AUTHORS

108       Pieter Lexis <pieter.lexis@os3.nl>
109
111       Copyright 2012
112
113       This program is free software; you can redistribute it and/or modify it
114       under the terms of the GNU General Public License as published by the
115       Free Software Foundation; either version 2 of the License, or (at your
116       option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
117
118       This program is distributed in the hope that it will be useful, but
119       WITHOUT ANY WARRANTY; without even the implied warranty of
120       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
121       General Public License (file COPYING in the distribution) for more
122       details.
123
124
125
126Paul Wouters                   December 7, 2015                        TLSA(1)
Impressum