|
Packit Service |
4684c1 |
@node danetool Invocation
|
|
Packit Service |
4684c1 |
@subsection Invoking danetool
|
|
Packit Service |
4684c1 |
@pindex danetool
|
|
Packit Service |
4684c1 |
@ignore
|
|
Packit Service |
4684c1 |
# -*- buffer-read-only: t -*- vi: set ro:
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
|
|
Packit Service |
4684c1 |
#
|
|
Packit Service |
4684c1 |
# It has been AutoGen-ed
|
|
Packit Service |
4684c1 |
# From the definitions ../src/danetool-args.def
|
|
Packit Service |
4684c1 |
# and the template file agtexi-cmd.tpl
|
|
Packit Service |
4684c1 |
@end ignore
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Tool to generate and check DNS resource records for the DANE protocol.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This section was generated by @strong{AutoGen},
|
|
Packit Service |
4684c1 |
using the @code{agtexi-cmd} template and the option descriptions for the @code{danetool} program.
|
|
Packit Service |
4684c1 |
This software is released under the GNU General Public License, version 3 or later.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{danetool usage}
|
|
Packit Service |
4684c1 |
@subsubheading danetool help/usage (@option{--help})
|
|
Packit Service |
4684c1 |
@cindex danetool help
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the automatically generated usage text for danetool.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The text printed is the same whether selected with the @code{help} option
|
|
Packit Service |
4684c1 |
(@option{--help}) or the @code{more-help} option (@option{--more-help}). @code{more-help} will print
|
|
Packit Service |
4684c1 |
the usage text by passing it through a pager program.
|
|
Packit Service |
4684c1 |
@code{more-help} is disabled on platforms without a working
|
|
Packit Service |
4684c1 |
@code{fork(2)} function. The @code{PAGER} environment variable is
|
|
Packit Service |
4684c1 |
used to select the program, defaulting to @file{more}. Both will exit
|
|
Packit Service |
4684c1 |
with a status code of 0.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@exampleindent 0
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
danetool - GnuTLS DANE tool
|
|
Packit Service |
4684c1 |
Usage: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
-d, --debug=num Enable debugging
|
|
Packit Service |
4684c1 |
- it must be in the range:
|
|
Packit Service |
4684c1 |
0 to 9999
|
|
Packit Service |
4684c1 |
-V, --verbose More verbose output
|
|
Packit Service |
4684c1 |
- may appear multiple times
|
|
Packit Service |
4684c1 |
--infile=file Input file
|
|
Packit Service |
4684c1 |
- file must pre-exist
|
|
Packit Service |
4684c1 |
--outfile=str Output file
|
|
Packit Service |
4684c1 |
--load-pubkey=str Loads a public key file
|
|
Packit Service |
4684c1 |
--load-certificate=str Loads a certificate file
|
|
Packit Service |
4684c1 |
--dlv=str Sets a DLV file
|
|
Packit Service |
4684c1 |
--hash=str Hash algorithm to use for signing
|
|
Packit Service |
4684c1 |
--check=str Check a host's DANE TLSA entry
|
|
Packit Service |
4684c1 |
--check-ee Check only the end-entity's certificate
|
|
Packit Service |
4684c1 |
--check-ca Check only the CA's certificate
|
|
Packit Service |
4684c1 |
--tlsa-rr Print the DANE RR data on a certificate or public key
|
|
Packit Service |
4684c1 |
- requires the option 'host'
|
|
Packit Service |
4684c1 |
--host=str Specify the hostname to be used in the DANE RR
|
|
Packit Service |
4684c1 |
--proto=str The protocol set for DANE data (tcp, udp etc.)
|
|
Packit Service |
4684c1 |
--port=str The port or service to connect to, for DANE data
|
|
Packit Service |
4684c1 |
--app-proto=str an alias for the 'starttls-proto' option
|
|
Packit Service |
4684c1 |
--starttls-proto=str The application protocol to be used to obtain the server's certificate
|
|
Packit Service |
4684c1 |
(https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)
|
|
Packit Service |
4684c1 |
--ca Whether the provided certificate or public key is a Certificate
|
|
Packit Service |
4684c1 |
Authority
|
|
Packit Service |
4684c1 |
--x509 Use the hash of the X.509 certificate, rather than the public key
|
|
Packit Service |
4684c1 |
--local an alias for the 'domain' option
|
|
Packit Service |
4684c1 |
- enabled by default
|
|
Packit Service |
4684c1 |
--domain The provided certificate or public key is issued by the local domain
|
|
Packit Service |
4684c1 |
- disabled as '--no-domain'
|
|
Packit Service |
4684c1 |
- enabled by default
|
|
Packit Service |
4684c1 |
--local-dns Use the local DNS server for DNSSEC resolving
|
|
Packit Service |
4684c1 |
- disabled as '--no-local-dns'
|
|
Packit Service |
4684c1 |
--insecure Do not verify any DNSSEC signature
|
|
Packit Service |
4684c1 |
--inder Use DER format for input certificates and private keys
|
|
Packit Service |
4684c1 |
- disabled as '--no-inder'
|
|
Packit Service |
4684c1 |
--inraw an alias for the 'inder' option
|
|
Packit Service |
4684c1 |
--print-raw Print the received DANE data in raw format
|
|
Packit Service |
4684c1 |
- disabled as '--no-print-raw'
|
|
Packit Service |
4684c1 |
--quiet Suppress several informational messages
|
|
Packit Service |
4684c1 |
-v, --version[=arg] output version information and exit
|
|
Packit Service |
4684c1 |
-h, --help display extended usage information and exit
|
|
Packit Service |
4684c1 |
-!, --more-help extended usage information passed thru pager
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Options are specified by doubled hyphens and their name or by a single
|
|
Packit Service |
4684c1 |
hyphen and the flag character.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Tool to generate and check DNS resource records for the DANE protocol.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
@exampleindent 4
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{danetool debug}
|
|
Packit Service |
4684c1 |
@subsubheading debug option (-d)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``enable debugging'' option.
|
|
Packit Service |
4684c1 |
This option takes a number argument.
|
|
Packit Service |
4684c1 |
Specifies the debug level.
|
|
Packit Service |
4684c1 |
@anchor{danetool load-pubkey}
|
|
Packit Service |
4684c1 |
@subsubheading load-pubkey option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a public key file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@anchor{danetool load-certificate}
|
|
Packit Service |
4684c1 |
@subsubheading load-certificate option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``loads a certificate file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This can be either a file or a PKCS #11 URL
|
|
Packit Service |
4684c1 |
@anchor{danetool dlv}
|
|
Packit Service |
4684c1 |
@subsubheading dlv option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``sets a dlv file'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
This sets a DLV file to be used for DNSSEC verification.
|
|
Packit Service |
4684c1 |
@anchor{danetool hash}
|
|
Packit Service |
4684c1 |
@subsubheading hash option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``hash algorithm to use for signing'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512.
|
|
Packit Service |
4684c1 |
@anchor{danetool check}
|
|
Packit Service |
4684c1 |
@subsubheading check option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``check a host's dane tlsa entry'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host can be provided using --load-certificate, otherwise danetool will connect to the server to obtain it. The exit code on verification success will be zero.
|
|
Packit Service |
4684c1 |
@anchor{danetool check-ee}
|
|
Packit Service |
4684c1 |
@subsubheading check-ee option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``check only the end-entity's certificate'' option.
|
|
Packit Service |
4684c1 |
Checks the end-entity's certificate only. Trust anchors or CAs are not considered.
|
|
Packit Service |
4684c1 |
@anchor{danetool check-ca}
|
|
Packit Service |
4684c1 |
@subsubheading check-ca option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``check only the ca's certificate'' option.
|
|
Packit Service |
4684c1 |
Checks the trust anchor's and CA's certificate only. End-entities are not considered.
|
|
Packit Service |
4684c1 |
@anchor{danetool tlsa-rr}
|
|
Packit Service |
4684c1 |
@subsubheading tlsa-rr option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print the dane rr data on a certificate or public key'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
must appear in combination with the following options:
|
|
Packit Service |
4684c1 |
host.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This command prints the DANE RR data needed to enable DANE on a DNS server.
|
|
Packit Service |
4684c1 |
@anchor{danetool host}
|
|
Packit Service |
4684c1 |
@subsubheading host option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``specify the hostname to be used in the dane rr'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{Hostname}.
|
|
Packit Service |
4684c1 |
This command sets the hostname for the DANE RR.
|
|
Packit Service |
4684c1 |
@anchor{danetool proto}
|
|
Packit Service |
4684c1 |
@subsubheading proto option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the protocol set for dane data (tcp, udp etc.)'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument @file{Protocol}.
|
|
Packit Service |
4684c1 |
This command specifies the protocol for the service set in the DANE data.
|
|
Packit Service |
4684c1 |
@anchor{danetool app-proto}
|
|
Packit Service |
4684c1 |
@subsubheading app-proto option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{starttls-proto} option,
|
|
Packit Service |
4684c1 |
@pxref{danetool starttls-proto, the starttls-proto option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{danetool starttls-proto}
|
|
Packit Service |
4684c1 |
@subsubheading starttls-proto option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the application protocol to be used to obtain the server's certificate (https, ftp, smtp, imap, ldap, xmpp, lmtp, pop3, nntp, sieve, postgres)'' option.
|
|
Packit Service |
4684c1 |
This option takes a string argument.
|
|
Packit Service |
4684c1 |
When the server's certificate isn't provided danetool will connect to the server to obtain the certificate. In that case it is required to know the protocol to talk with the server prior to initiating the TLS handshake.
|
|
Packit Service |
4684c1 |
@anchor{danetool ca}
|
|
Packit Service |
4684c1 |
@subsubheading ca option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``whether the provided certificate or public key is a certificate authority'' option.
|
|
Packit Service |
4684c1 |
Marks the DANE RR as a CA certificate if specified.
|
|
Packit Service |
4684c1 |
@anchor{danetool x509}
|
|
Packit Service |
4684c1 |
@subsubheading x509 option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use the hash of the x.509 certificate, rather than the public key'' option.
|
|
Packit Service |
4684c1 |
This option forces the generated record to contain the hash of the full X.509 certificate. By default only the hash of the public key is used.
|
|
Packit Service |
4684c1 |
@anchor{danetool local}
|
|
Packit Service |
4684c1 |
@subsubheading local option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{domain} option,
|
|
Packit Service |
4684c1 |
@pxref{danetool domain, the domain option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{danetool domain}
|
|
Packit Service |
4684c1 |
@subsubheading domain option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``the provided certificate or public key is issued by the local domain'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-domain.
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
It is enabled by default.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.
|
|
Packit Service |
4684c1 |
@anchor{danetool local-dns}
|
|
Packit Service |
4684c1 |
@subsubheading local-dns option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use the local dns server for dnssec resolving'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-local-dns.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will use the local DNS server for DNSSEC.
|
|
Packit Service |
4684c1 |
This is disabled by default due to many servers not allowing DNSSEC.
|
|
Packit Service |
4684c1 |
@anchor{danetool insecure}
|
|
Packit Service |
4684c1 |
@subsubheading insecure option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``do not verify any dnssec signature'' option.
|
|
Packit Service |
4684c1 |
Ignores any DNSSEC signature verification results.
|
|
Packit Service |
4684c1 |
@anchor{danetool inder}
|
|
Packit Service |
4684c1 |
@subsubheading inder option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``use der format for input certificates and private keys'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-inder.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The input files will be assumed to be in DER or RAW format.
|
|
Packit Service |
4684c1 |
Unlike options that in PEM input would allow multiple input data (e.g. multiple
|
|
Packit Service |
4684c1 |
certificates), when reading in DER format a single data structure is read.
|
|
Packit Service |
4684c1 |
@anchor{danetool inraw}
|
|
Packit Service |
4684c1 |
@subsubheading inraw option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is an alias for the @code{inder} option,
|
|
Packit Service |
4684c1 |
@pxref{danetool inder, the inder option documentation}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@anchor{danetool print-raw}
|
|
Packit Service |
4684c1 |
@subsubheading print-raw option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``print the received dane data in raw format'' option.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@noindent
|
|
Packit Service |
4684c1 |
This option has some usage constraints. It:
|
|
Packit Service |
4684c1 |
@itemize @bullet
|
|
Packit Service |
4684c1 |
@item
|
|
Packit Service |
4684c1 |
can be disabled with --no-print-raw.
|
|
Packit Service |
4684c1 |
@end itemize
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This option will print the received DANE data.
|
|
Packit Service |
4684c1 |
@anchor{danetool quiet}
|
|
Packit Service |
4684c1 |
@subsubheading quiet option
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This is the ``suppress several informational messages'' option.
|
|
Packit Service |
4684c1 |
In that case on the exit code can be used as an indication of verification success
|
|
Packit Service |
4684c1 |
@anchor{danetool exit status}
|
|
Packit Service |
4684c1 |
@subsubheading danetool exit status
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
One of the following exit values will be returned:
|
|
Packit Service |
4684c1 |
@table @samp
|
|
Packit Service |
4684c1 |
@item 0 (EXIT_SUCCESS)
|
|
Packit Service |
4684c1 |
Successful program execution.
|
|
Packit Service |
4684c1 |
@item 1 (EXIT_FAILURE)
|
|
Packit Service |
4684c1 |
The operation failed or the command syntax was not valid.
|
|
Packit Service |
4684c1 |
@end table
|
|
Packit Service |
4684c1 |
@anchor{danetool See Also}
|
|
Packit Service |
4684c1 |
@subsubheading danetool See Also
|
|
Packit Service |
4684c1 |
certtool (1)
|
|
Packit Service |
4684c1 |
@anchor{danetool Examples}
|
|
Packit Service |
4684c1 |
@subsubheading danetool Examples
|
|
Packit Service |
4684c1 |
@subsubheading DANE TLSA RR generation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a DANE TLSA resource record for a certificate (or public key)
|
|
Packit Service |
4684c1 |
that was issued localy and may or may not be signed by a CA use the following command.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To create a DANE TLSA resource record for a CA signed certificate, which will
|
|
Packit Service |
4684c1 |
be marked as such use the following command.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
|
|
Packit Service |
4684c1 |
--no-domain
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The former is useful to add in your DNS entry even if your certificate is signed
|
|
Packit Service |
4684c1 |
by a CA. That way even users who do not trust your CA will be able to verify your
|
|
Packit Service |
4684c1 |
certificate using DANE.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
In order to create a record for the CA signer of your certificate use the following.
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
|
|
Packit Service |
4684c1 |
--ca --no-domain
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To read a server's DANE TLSA entry, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --check www.example.com --proto tcp --port 443
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To verify an HTTPS server's DANE TLSA entry, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --check www.example.com --proto tcp --port 443 --load-certificate chain.pem
|
|
Packit Service |
4684c1 |
@end example
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
To verify an SMTP server's DANE TLSA entry, use:
|
|
Packit Service |
4684c1 |
@example
|
|
Packit Service |
4684c1 |
$ danetool --check www.example.com --proto tcp --starttls-proto=smtp --load-certificate chain.pem
|
|
Packit Service |
4684c1 |
@end example
|