1TLSA(1) Internet / DNS TLSA(1)
2
6 tlsa - Create and verify RFC-6698 TLSA DNS records
7
9 tlsa [-h] [--verify] [-create] [--version] [-4] [-6] [--insecure]
10 [--resolv.conf /PATH/TO/RESOLV.CONF] [--port PORT] [--starttls
11 {auto,smtp,imap,pop3,ftp}] [--protocol {tcp,udp,sctp}] [--only-rr]
12 [--rootkey /PATH/TO/ROOT.KEY] [--ca-cert /PATH/TO/CERTSTORE] [--debug]
13 [--quiet] [--certificate CERTIFICATE] [--output {rfc,generic,both}]
14 [--usage {0,1,2,3}] [--selector {0,1}] [-mtype {0,1,2}] hostname
15
17 tlsa generates RFC-6698 TLSA DNS records. To generate these records for
18 older nameserver implementations that do not yet support the TLSA
19 record, specify --output generic to output the tlsa data in Generic
20 Record (RFC-3597) format. Records are generated by connecting to the
21 website using SSL and grabbing the (EE) certificate and the CA chain.
22 Depending on the type and selector used, this information is used to
23 generate TLSA records. Currently. tlsa has no AXFR support for en-mass
24 TLSA record generation.
25
27 --create
28 Create a TLSA record
29 --verify
31 Verify a TLSA record
32 --protocol tcp | udp | sctp
34 Use a specific transport protocol (default: tcp)
35 --resolvconf FILE
37 Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass
38 empty value (--resolvconf="") to disable default.
39 --port PORT
41 Use specified port (default: 443)
42 --starttls no | smtp | imap | pop3 | ftp
44 Start script type for protocols which need special commands to
45 start a TLS connection. Supported are 'ftp' (port 21), 'smtp' (port
46 25), 'pop3' (port 110) and 'imap' (port 143). The default selects
47 the type based on the port number. The value 'no' overrides auto
48 detection.
49 --only-rr
51 Only print the DNS TLSA record
52 --certificate file.crt
54 Use specified certificate file, instead of retrieving the
55 certificate from the server. Can be a single cert or a complete
56 chain.
57 --ca-cert directory
59 Use specified directory containing CA bundles for CA validation
60 (default: /etc/pki/tls/certs)
61 --rootkey filename
63 Use specified file to read the DNSSEC root key (in anchor or bind
64 format)
65 --output rfc | generic | both
67 Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic
68 (default: rfc)
69 --usage 0 | 1 | 2 | 3
71 Usage type: public CA (0), EE match validated by public CA (1),
72 private CA (2), private EE (3) (default: 3)
73 --selector 0 | 1
75 The selector type describes what the type covers - full certificate
76 (0) or public key (1) (default: 0)
77 --mtype 0 | 1 | 2
79 Type of the TLSA data. Exact match on content (0), SHA256 (1) or
80 SHA512 (2) (default: 0)
81 If neither create or verify is specified, create is used.
83
85 tlsa requires the following python libraries: unbound, m2crypto,
86 argparse and ipaddr
87
89 ipv4/ipv6 handling
90
92 typical usage:
93 tlsa www.fedoraproject.org
95 tlsa --verify -4 nohats.ca
97 tlsa --create --insecure fedoraproject.org
99
101 sshfp(1), ssh-keygen(1) and RFC-6698
102 https://github.com/letoams/hash-slinger
104 http://os3sec.org/
106
108 Pieter Lexis <pieter.lexis@os3.nl>
109
111 Copyright 2012
112 This program is free software; you can redistribute it and/or modify it
114 under the terms of the GNU General Public License as published by the
115 Free Software Foundation; either version 2 of the License, or (at your
116 option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
117 This program is distributed in the hope that it will be useful, but
119 WITHOUT ANY WARRANTY; without even the implied warranty of
120 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
121 General Public License (file COPYING in the distribution) for more
122 details.
123Paul Wouters December 7, 2015 TLSA(1)