|author||Willem Toorop <willem@NLnetLabs.nl>||2012-10-16 13:59:41 +0200|
|committer||Willem Toorop <willem@NLnetLabs.nl>||2012-10-16 13:59:41 +0200|
Merge in 1.6.14rc2 changes:
- Paul Wouter's suggestion to have a create and a verify option to ldns-dane and configurable CAfile and CApath and configurable trust anchor and - Get rid of doxygen-1.8 warnings
Diffstat (limited to 'examples/ldns-dane.1.in')
1 files changed, 179 insertions, 0 deletions
diff --git a/examples/ldns-dane.1.in b/examples/ldns-dane.1.in
new file mode 100644
@@ -0,0 +1,179 @@
+.TH ldns-dane 1 "17 September 2012"
+ldns-dane \- verify or create TLS authentication with DANE (RFC6698)
+] ] ]
+In the first form:
+A TLS connection to \fIname\fR:\fIport\fR is established.
+The TLSA resource record(s) for \fIname\fR are used to authenticate
+In the second form:
+The TLSA record(s) are read from \fItlsafile\fR and used to authenticate
+the TLS service they reference.
+In the third form:
+A TLS connection to \fIname\fR:\fIport\fR is established and used to
+create the TLSA resource record(s) that would authenticate the connection.
+The parameters for TLSA rr creation are:
+Service certificate constraint
+Trust anchor assertion
+Domain-issued certificate (default)
+Full certificate (default)
+No hash used
+In stead of numbers the first few letters of the value may be used.
+Except for the hash algorithm name, where the full name must be specified.
+TLS connect IPv4 only
+TLS connect IPv6 only
+.IP "-a \fIaddress\fR"
+Don't try to resolve \fIname\fR, but connect to \fIaddress\fR instead.
+This option may be given more than once.
+print "\fIname\fR\. TYPE52 \\# \fIsize\fR \fIhexdata\fR" form instead
+of TLSA presentation format.
+.IP "-c \fIcertfile\fR"
+Do not TLS connect to \fIname\fR:\fIport\fR, but authenticate (or make
+TLSA records) for the certificate (chain) in \fIcertfile\fR instead.
+Assume DNSSEC validity even when the TLSA records were acquired insecure
+or were bogus.
+.IP "-f \fICAfile\fR"
+Use CAfile to validate. @DEFAULT_CAFILE@
+Print short usage help
+Interact after connecting.
+.IP "-k \fIkeyfile\fR"
+Specify a file that contains a trusted DNSKEY or DS rr.
+Key(s) are used when chasing signatures (i.e. \fI-S\fR is given).
+This option may be given more than once.
+Alternatively, if \fB-k\fR is not specified, and a default trust anchor
+(@LDNS_TRUST_ANCHOR_FILE@) exists and contains a valid DNSKEY or DS record,
+it will be used as the trust anchor.
+Do \fBnot\fR verify server name in certificate.
+.IP "-o \fIoffset\fR"
+When creating a "Trust anchor assertion" TLSA resource record,
+select the \fIoffset\fRth certificate offset from the end
+of the validation chain. 0 means the last certificate, 1 the one but last,
+2 the second but last, etc.
+When \fIoffset\fR is -1 (the default), the last certificate
+is used (like with 0) that MUST be self-signed. This can help to make
+sure that the intended (self signed) trust anchor is actually present
+in the server certificate chain (which is a DANE requirement).
+.IP "-p \fICApath\fR"
+Use certificates in the \fICApath\fR directory to validate. @DEFAULT_CAPATH@
+When creating TLSA resource records with the "CA Constraint" and the
+"Service Certificate Constraint" certificate usage, do not validate and
+assume PKIX is valid.
+For "CA Constraint" this means that verification should end with a
+Chase signature(s) to a known key.
+Without this option, the local network is trusted to provide
+a DNSSEC resolver (i.e. AD bit is checked).
+.IP "-t \fItlsafile\fR"
+Read TLSA record(s) from \fItlsafile\fR. When \fIname\fR and \fIport\fR
+are also given, only TLSA records that match the \fIname\fR, \fIport\fR and
+\fItransport\fR are used. Otherwise the owner name of the TLSA record(s)
+will be used to determine \fIname\fR, \fIport\fR and \fItransport\fR.
+Use UDP transport instead of TCP.
+Show version and exit.
+The file from which trusted keys are loaded for signature chasing,
+when no \fB-k\fR option is given.
+.SH "SEE ALSO"
+Written by the ldns team as an example for ldns usage.
+.SH REPORTING BUGS
+Report bugs to \fIldnsemail@example.com\fR.
+Copyright (C) 2012 NLnet Labs. This is free software. There is NO
+warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR