'\" t
.\"     Title: dane
.\"    Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
.\"      Date: April 12, 2011
.\"    Manual: Internet / DNS
.\"    Source: Paul Wouters
.\"  Language: English
.\"
.TH "DANE" "1" "April 12, 2011" "Paul Wouters" "Internet / DNS"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
dane \- Generate TLSA/HASTLS DNS records by scanning SSL/TLS sites
.SH "SYNTAX"
.PP
dane [\fB\-v\fR] [\fB\-q\fR] [\fB\-h\fR] [\fB\-v\fR] [\fB\-\-draft\fR|\fB\-\-rfc\fR] [\fB\-\-sha256\fR] [\fB\-\-sha512\fR] [\fB\-\-full\fR] [\fB\-\-insecure\fR] [\fB\-\-pubkey\fR] [\fB\-\-txt\fR] [\fB\-\-eecert\fR] [\fB\-\-cacert\fR] [\fB\-4\fR] [\fB\-6\fR] [\fB\-\-axfr\fR] [\fB\-n\fR
<\fInameserver\fR>]
\fIhost1\fR
[\fIhost2 \&.\&.\&.]\fR] [\fI@nameserver]\fR]
.SH "DESCRIPTION"
.PP
dane generates TLSA/HASTLS records based on the IETF DANE working group proposal\&. These are currently in draft, so private RRTYPE assignments are used\&. Records are generated by connecting to the website using SSL and grabbing its (EE) certificate\&. If the nameserver of the domain allows zone tranfers (AXFR), an entire domain can be processed for all its A/AAAA records\&.
.SH "OPTIONS"
.PP
\fB\-n / \-\-nameserver\fR <\fIhostname1\fR>
.RS 4
Use specified nameserver for AXFR query
.RE
.PP
\fB\-q / \-\-quiet\fR
.RS 4
Supress all warnings \- useful when scanning lots of host where some do not run SSL
.RE
.PP
\fB\-\-axfr\fR
.RS 4
Use AXFR\&. Implies \-n nameserver (or @nameserver)\&. Hosts are treated as zones to AXFR\&.
.RE
.PP
\fB\-\-tlsa\fR
.RS 4
Output TLSA record from SSL server scan results (default)
.RE
.PP
\fB\-\-eecert\fR
.RS 4
Output TLSA record format EE certificates (type 1) (default)
.RE
.PP
\fB\-\-pubkey\fR
.RS 4
Output TLSA record for just the public key (type unassined) (not implemented yet)
.RE
.PP
\fB\-\-txt\fR
.RS 4
Output Kaminsky style TXT record for (not implemented yet)
.RE
.PP
\fB\-\-cacert\fR
.RS 4
Output TLSA record for the entire CA chain and EE\-cert (not yet implemented)
.RE
.PP
\fB\-\-sha256\fR
.RS 4
Output TLSA record reference type 1 (SHA256) records (default)
.RE
.PP
\fB\-\-sha512\fR
.RS 4
Output TLSA record reference type 2 (SHA512) records
.RE
.PP
\fB\-\-full\fR
.RS 4
Output TLSA record reference type 0 (full cert) records
.RE
.PP
\fB\-\-draft\fR
.RS 4
Output Unknown Resource Record format with private RRTYPE assignment\&. This is used while the standard is still in draft form, and for when your nameserver does not (yet) support the new RRTYPE names\&. This option is the default (if \-\-rfc is not specified) as long as dane is has not be released as RFC\&.
.RE
.PP
\fB\-\-rfc\fR
.RS 4
Specify records using the RRTYPE\*(Aqs TLSA (and HASTLA)
.RE
.PP
\fB\-\-insecure\fR
.RS 4
Continue scanning even if the A/AAAA records could not be validated using DNSSEC
.RE
.PP
\fB\-4\fR
.RS 4
Only use ipv4 networking \- do not attempt to connect to AAAA SSL sites
.RE
.PP
\fB\-6\fR
.RS 4
Only use ipv6 networking \- do not attempt to connect to A SSL sites
.RE
.PP
\fB\-h / \-\-help\fR
.RS 4
Output help information and exit\&.
.RE
.PP
\fB\-v / \-\-version\fR
.RS 4
Output version information and exit\&.
.RE
.SH "FILES"
.PP
~/\&.ssh/known_hosts
.SH "REQUIREMENTS"
.PP
dane requires python\-dns and python\-argparse(\m[blue]\fBhttp://www\&.pythondns\&.org\fR\m[])
.PP
Fedora: yum install python\-dns python\-argparse
.PP
Debian: apt\-get install python\-dnspython python\-argparse
.SH "BUGS"
.PP
I\*(Aqm sure there are
.SH "EXAMPLES"
.PP
typical usage:
.PP
dane www\&.xelerance\&.com
.PP
dane \-\-rfc \-\-sha512 www\&.xelerance\&.com
.PP
dane \-\-insecure \-\-draft xelerance\&.com @ns0\&.xelerance\&.net
.SH "SEE ALSO"
.PP
\fBsshfp\fR(1)
\fBssh\fR(1)
and RFC\-XXXX
.PP
\m[blue]\fBhttp://www\&.xelerance\&.com/software/sshfp/\fR\m[]
.PP
\m[blue]\fBhttp://lists\&.xelerance\&.com/mailman/listinfo/sshfp/\fR\m[]
.SH "AUTHORS"
.PP
Paul Wouters <paul@xelerance\&.com>
.SH "COPYRIGHT"
.PP
Copyright 2011 Xelerance Corporation
.PP
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version\&. See <\m[blue]\fBhttp://www\&.fsf\&.org/copyleft/gpl\&.txt\fR\m[]>\&.
.PP
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE\&. See the GNU General Public License (file COPYING in the distribution) for more details\&.