Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
DANE(1)				Internet / DNS			       DANE(1)

NAME
       dane - Generate TLSA/HASTLS DNS records by scanning SSL/TLS sites

SYNTAX
       dane [-v] [-q] [-h] [-v]	[--draft|--rfc]	[--sha256] [--sha512] [--full]
       [--insecure] [--pubkey] [--txt] [--eecert] [--cacert] [-4] [-6]
       [--axfr]	[-n <nameserver>] host1	[host2 ...]] [@nameserver]]

DESCRIPTION
       dane generates TLSA/HASTLS records based	on the IETF DANE working group
       proposal. These are currently in	draft, so private RRTYPE assignments
       are used. Records are generated by connecting to	the website using SSL
       and grabbing its	(EE) certificate. If the nameserver of the domain
       allows zone tranfers (AXFR), an entire domain can be processed for all
       its A/AAAA records.

OPTIONS
       -n / --nameserver <hostname1>
	   Use specified nameserver for	AXFR query

       -q / --quiet
	   Supress all warnings	- useful when scanning lots of host where some
	   do not run SSL

       --axfr
	   Use AXFR. Implies -n	nameserver (or @nameserver). Hosts are treated
	   as zones to AXFR.

       --tlsa
	   Output TLSA record from SSL server scan results (default)

       --eecert
	   Output TLSA record format EE	certificates (type 1) (default)

       --pubkey
	   Output TLSA record for just the public key (type unassined) (not
	   implemented yet)

       --txt
	   Output Kaminsky style TXT record for	(not implemented yet)

       --cacert
	   Output TLSA record for the entire CA	chain and EE-cert (not yet
	   implemented)

       --sha256
	   Output TLSA record reference	type 1 (SHA256)	records	(default)

       --sha512
	   Output TLSA record reference	type 2 (SHA512)	records

       --full
	   Output TLSA record reference	type 0 (full cert) records

       --draft
	   Output Unknown Resource Record format with private RRTYPE
	   assignment. This is used while the standard is still	in draft form,
	   and for when	your nameserver	does not (yet) support the new RRTYPE
	   names. This option is the default (if --rfc is not specified) as
	   long	as dane	is has not be released as RFC.

       --rfc
	   Specify records using the RRTYPE's TLSA (and	HASTLA)

       --insecure
	   Continue scanning even if the A/AAAA	records	could not be validated
	   using DNSSEC

       -4
	   Only	use ipv4 networking - do not attempt to	connect	to AAAA	SSL
	   sites

       -6
	   Only	use ipv6 networking - do not attempt to	connect	to A SSL sites

       -h / --help
	   Output help information and exit.

       -v / --version
	   Output version information and exit.

FILES
       ~/.ssh/known_hosts

REQUIREMENTS
       dane requires python-dns	and python-argparse(http://www.pythondns.org)

       Fedora: yum install python-dns python-argparse

       Debian: apt-get install python-dnspython	python-argparse

BUGS
       I'm sure	there are

EXAMPLES
       typical usage:

       dane www.xelerance.com

       dane --rfc --sha512 www.xelerance.com

       dane --insecure --draft xelerance.com @ns0.xelerance.net

SEE ALSO
       sshfp(1)	ssh(1) and RFC-XXXX

       http://www.xelerance.com/software/sshfp/

       http://lists.xelerance.com/mailman/listinfo/sshfp/

AUTHORS
       Paul Wouters <paul@xelerance.com>

COPYRIGHT
       Copyright 2011 Xelerance	Corporation

       This program is free software; you can redistribute it and/or modify it
       under the terms of the GNU General Public License as published by the
       Free Software Foundation; either	version	2 of the License, or (at your
       option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.

       This program is distributed in the hope that it will be useful, but
       WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A	PARTICULAR PURPOSE. See	the GNU
       General Public License (file COPYING in the distribution) for more
       details.

Paul Wouters			April 12, 2011			       DANE(1)

NAME | SYNTAX | DESCRIPTION | OPTIONS | FILES | REQUIREMENTS | BUGS | EXAMPLES | SEE ALSO | AUTHORS | COPYRIGHT

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=dane&sektion=1&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help