Install Now
tlsa - Create and verify RFC-6698 TLSA DNS records
Contents
Bugs
ipv4/ipv6 handling
Copyright
Copyright 2012
This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License, or
(at your option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License (file COPYING in the distribution) for more details.
Paul Wouters December 7, 2015 TLSA(1)
Description
tlsa generates RFC-6698 TLSA DNS records. To generate these records for older nameserver implementations
that do not yet support the TLSA record, specify --outputgeneric to output the tlsa data in Generic
Record (RFC-3597) format. Records are generated by connecting to the website using SSL and grabbing the
(EE) certificate and the CA chain. Depending on the type and selector used, this information is used to
generate TLSA records. Currently. tlsa has no AXFR support for en-mass TLSA record generation.
Examples
typical usage:
tlsa www.fedoraproject.org
tlsa --verify -4 nohats.ca
tlsa --create --insecure fedoraproject.org
Name
tlsa - Create and verify RFC-6698 TLSA DNS records
Options
--create
Create a TLSA record
--verify
Verify a TLSA record
--protocol tcp | udp | sctp
Use a specific transport protocol (default: tcp)
--resolvconf FILE
Specify a custom resolv.conf file (default: /etc/resolv.conf). Pass empty value (--resolvconf="") to
disable default.
--port PORT
Use specified port (default: 443)
--starttls no | smtp | imap | pop3 | ftp
Start script type for protocols which need special commands to start a TLS connection. Supported are
'ftp' (port 21), 'smtp' (port 25), 'pop3' (port 110) and 'imap' (port 143). The default selects the
type based on the port number. The value 'no' overrides auto detection.
--only-rr
Only print the DNS TLSA record
--certificate file.crt
Use specified certificate file, instead of retrieving the certificate from the server. Can be a
single cert or a complete chain.
--ca-cert directory
Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)
--rootkey filename
Use specified file to read the DNSSEC root key (in anchor or bind format)
--output rfc | generic | both
Output format of TLSA record. "TLSA" for rfc, "TYPE52" for generic (default: rfc)
--usage 0 | 1 | 2 | 3
Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3)
(default: 3)
--selector 0 | 1
The selector type describes what the type covers - full certificate (0) or public key (1) (default:
0)
--mtype 0 | 1 | 2
Type of the TLSA data. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)
If neither create or verify is specified, create is used.
Requirements
tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr
See Also
sshfp(1)ssh-keygen(1)and RFC-6698 http://people.redhat.com/pwouters/hash-slinger/http://os3sec.org/
Syntax
tlsa [-h] [--verify] [-create] [--version] [-4] [-6] [--insecure] [--resolv.conf/PATH/TO/RESOLV.CONF]
[--portPORT] [--starttls{auto,smtp,imap,pop3,ftp}] [--protocol{tcp,udp,sctp}] [--only-rr] [--rootkey/PATH/TO/ROOT.KEY] [--ca-cert/PATH/TO/CERTSTORE] [--debug] [--quiet] [--certificateCERTIFICATE]
[--output{rfc,generic,both}] [--usage{0,1,2,3}] [--selector{0,1}] [-mtype{0,1,2}] hostname
PNG Icons
SVG Icons