NAME¶
convertar - Converts trust anchor repositories from one format to another
DESCRIPTION¶
convertar operates on input and output files of different Trust Anchor
Repository (TAR) formats.
convertar decides what type of file format is
being referred to by a "type:filename" specification. Options can be
passed to the convertar module by using a '/' delimited specifier in the
type identifier. Such as
"type/option=value/other=othervalue:filename". See below for a list
of different input and output formats that
convertar understands by
default and what options they take.
See the
Net::DNS::SEC::Tools::TrustAnchor module and its documentation
for writing new plugins to allow
convertar to understand other TAR
formats.
EXAMPLES¶
This command will read in an
itar.xml file (available from
https://itar.iana.org/) and convert it to a file that can be read in by BIND's
named application:
# convertar -i itar:itar.xml -o bind:bind.conf
Read in multiple files, merge them together and write them out to two different
output file formats (the libval format is printed to stdout):
# convertar -i itar:itar.xml,csv:local.csv -o bind:bind.conf,libval:-
FILE SPECIFICATION CONVENTIONS¶
Types and files (e.g. for the -i and -o switches) are specificied using the
following format:
type:/path/to/file
The
type portion of the specification dictates what internal module will
attempt to read in the file. The file portion of the specification may or may
not be required (but the ':' always is) and may or may not point to a real
file, depending on the module in charge of the content. Some modules may, for
exmaple, load content from the network. For types that can read and write to a
file, a '-' may be specified as a file to print to or read from standard
output.
File formats MAY be infered from a trailing suffix, if the trailing suffix. EG,
if a referenced file is foo.csv then internally convertar will translate this
to "csv:foo.csv".
The following file formats are known by default to
convertar:
- bind
- A BIND name server (named) compatible trust anchor
configuration file. This can be included within a master named.conf
file using the "include" directive.
The bind option can also take a /write_expectations=1 flag
when writing to write an options {} section that will turn on dnssec and
require validation for zones from all the imported data.
E.G. bind/write_expectations=1:named.conf
- secspider
- This is merely an alias that fetches the specspider
(http://secspider.cs.ucla.edu/) bind configuration file and then parse it
using the bind file format.
WARNING: The PGP signature on the downloaded file is NOT checked.
- csv
- A comma-separated list format.
- dump
- A Perl hash dump format. This should be used mostly
for debugging of newly developed modules as it shows the internal hash
structure that is passed between modules.
- itar
- IANA's itar format, which is an XML-based format of
trust anchor keys. IANA's file is available from https://itar.iana.org/.
Specifying only 'itar:' line only (or itar:URL), convertar will
attempt to retrieve the current remote ITAR respository file directly.
WARNING: The PGP signature on the downloaded file is NOT checked.
NOTE: support for downloading the ITAR repository over the network requires
the LWP::UserAgent module to be installed.
- libval
- The libval format is the configuration file format
that DNSSEC-Tool's libval library uses.
The libval option can also take a /write_expectations=1 flag
when writing to specify that the default (:) zone-security-expectation's
should be populated to require validation of all the zones with imported
data. All other zones will have a policy set to 'ignore.
E.G. libval/write_expectations=1:dnsval.conf
- mf
- The master file (mf) format is also available from
the itar web site.
- dns
- The dns format performs live queries of records
attached to a domain name to request either DS or DNSKEY records. By
default, DNSKEY records will be queried. The specific type to be queried
can be specified by preceeding the zone name with a "ds/" or
"dnskey/" prefix. Example valid 'dns:' type specifications:
dns:dnssec-tools.org
dns:ds/dnssec-tools.org
dns:dnskey/dnssec-tools.org
Also, if you want to read dnskeys from the network but convert them to ds
records, you can use the /tods flag:
dns/tods=1:dnssec-tools.org
The DNS type can not output records and is only useful for reading in
information.
WARNING: The keys and data being retrieved are not internally validated and
thus should not be trusted unless a secured resolver is being used.
OPTIONS¶
- -i STRING
- --input-file=STRING
- Input file(s) to process.
convertar will read in the specified file(s). Multiple files can be
separated by commas.
- -o STRING
- --output-file=STRING
- Output file(s) to write.
convertar will write out these specified file(s) in the requested
output formats. Multiple files can be separated by commas.
- -h
- --help
- --help-full
- Displays command line help information.
- --gui
- --no-gui
- Controls the use of the optional GUI.
COPYRIGHT¶
Copyright 2009-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wes Hardaker < hardaker AT users DOT sourceforge DOT net >
SEE ALSO¶
Net::DNS::SEC::Tools::TrustAnchor(3)