'\" t
.\"     Title: tlsa
.\"    Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: December 7, 2015
.\"    Manual: Internet / DNS
.\"    Source: Paul Wouters
.\"  Language: English
.\"
.TH "TLSA" "1" "December 7, 2015" "Paul Wouters" "Internet / DNS"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
tlsa \- Create and verify RFC\-6698 TLSA DNS records
.SH "SYNTAX"
.PP
tlsa [\fB\-h\fR] [\fB\-\-verify\fR] [\fB\-create\fR] [\fB\-\-version\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-\-insecure\fR] [\fB\-\-resolv\&.conf /PATH/TO/RESOLV\&.CONF\fR] [\fB\-\-port PORT\fR] [\fB\-\-starttls {auto,smtp,imap,pop3,ftp}\fR] [\fB\-\-protocol {tcp,udp,sctp}\fR] [\fB\-\-only\-rr\fR] [\fB\-\-rootkey /PATH/TO/ROOT\&.KEY\fR] [\fB\-\-ca\-cert /PATH/TO/CERTSTORE\fR] [\fB\-\-debug\fR] [\fB\-\-quiet\fR] [\fB\-\-certificate CERTIFICATE\fR] [\fB\-\-output {rfc,generic,both}\fR] [\fB\-\-usage {0,1,2,3}\fR] [\fB\-\-selector {0,1}\fR] [\fB\-mtype {0,1,2}\fR]
\fIhostname\fR
.SH "DESCRIPTION"
.PP
tlsa generates RFC\-6698 TLSA DNS records\&. To generate these records for older nameserver implementations that do not yet support the TLSA record, specify
\fI\-\-output generic\fR
to output the tlsa data in Generic Record (RFC\-3597) format\&. Records are generated by connecting to the website using SSL and grabbing the (EE) certificate and the CA chain\&. Depending on the type and selector used, this information is used to generate TLSA records\&. Currently\&. tlsa has no AXFR support for en\-mass TLSA record generation\&.
.SH "OPTIONS"
.PP
\fB\-\-create\fR
.RS 4
Create a TLSA record
.RE
.PP
\fB\-\-verify\fR
.RS 4
Verify a TLSA record
.RE
.PP
\fB\-\-protocol\fR tcp | udp | sctp
.RS 4
Use a specific transport protocol (default: tcp)
.RE
.PP
\fB\-\-resolvconf\fR FILE
.RS 4
Specify a custom resolv\&.conf file (default: /etc/resolv\&.conf)\&. Pass empty value (\-\-resolvconf="") to disable default\&.
.RE
.PP
\fB\-\-port\fR PORT
.RS 4
Use specified port (default: 443)
.RE
.PP
\fB\-\-starttls\fR no | smtp | imap | pop3 | ftp
.RS 4
Start script type for protocols which need special commands to start a TLS connection\&. Supported are \*(Aqftp\*(Aq (port 21), \*(Aqsmtp\*(Aq (port 25), \*(Aqpop3\*(Aq (port 110) and \*(Aqimap\*(Aq (port 143)\&. The default selects the type based on the port number\&. The value \*(Aqno\*(Aq overrides auto detection\&.
.RE
.PP
\fB\-\-only\-rr\fR
.RS 4
Only print the DNS TLSA record
.RE
.PP
\fB\-\-certificate\fR file\&.crt
.RS 4
Use specified certificate file, instead of retrieving the certificate from the server\&. Can be a single cert or a complete chain\&.
.RE
.PP
\fB\-\-ca\-cert\fR directory
.RS 4
Use specified directory containing CA bundles for CA validation (default: /etc/pki/tls/certs)
.RE
.PP
\fB\-\-rootkey\fR filename
.RS 4
Use specified file to read the DNSSEC root key (in anchor or bind format)
.RE
.PP
\fB\-\-output\fR rfc | generic | both
.RS 4
Output format of TLSA record\&. "TLSA" for rfc, "TYPE52" for generic (default: rfc)
.RE
.PP
\fB\-\-usage\fR 0 | 1 | 2 | 3
.RS 4
Usage type: public CA (0), EE match validated by public CA (1), private CA (2), private EE (3) (default: 3)
.RE
.PP
\fB\-\-selector\fR 0 | 1
.RS 4
The selector type describes what the type covers \- full certificate (0) or public key (1) (default: 0)
.RE
.PP
\fB\-\-mtype\fR 0 | 1 | 2
.RS 4
Type of the TLSA data\&. Exact match on content (0), SHA256 (1) or SHA512 (2) (default: 0)
.RE
.PP
If neither create or verify is specified, create is used\&.
.SH "REQUIREMENTS"
.PP
tlsa requires the following python libraries: unbound, m2crypto, argparse and ipaddr
.SH "BUGS"
.PP
ipv4/ipv6 handling
.SH "EXAMPLES"
.PP
typical usage:
.PP
tlsa www\&.fedoraproject\&.org
.PP
tlsa \-\-verify \-4 nohats\&.ca
.PP
tlsa \-\-create \-\-insecure fedoraproject\&.org
.SH "SEE ALSO"
.PP
\fBsshfp\fR(1)\fBssh-keygen\fR(1)and RFC\-6698
.PP
\m[blue]\fBhttp://people\&.redhat\&.com/pwouters/hash\-slinger/\fR\m[]
.PP
\m[blue]\fBhttp://os3sec\&.org/\fR\m[]
.SH "AUTHORS"
.PP
Pieter Lexis <pieter\&.lexis@os3\&.nl>
.SH "COPYRIGHT"
.PP
Copyright 2012
.PP
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version\&. See <\m[blue]\fBhttp://www\&.fsf\&.org/copyleft/gpl\&.txt\fR\m[]>\&.
.PP
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License (file COPYING in the distribution) for more details\&.