dane(1) [debian man page]

DANE(1) 							  Internet / DNS							   DANE(1)

NAME

       dane - Generate TLSA/HASTLS DNS records by scanning SSL/TLS sites

SYNTAX

       dane [-v] [-q] [-h] [-v] [--draft|--rfc] [--sha256] [--sha512] [--full] [--insecure] [--pubkey] [--txt] [--eecert] [--cacert] [-4] [-6]
       [--axfr] [-n <nameserver>] host1 [host2 ...]] [@nameserver]]

DESCRIPTION

       dane generates TLSA/HASTLS records based on the IETF DANE working group proposal. These are currently in draft, so private RRTYPE
       assignments are used. Records are generated by connecting to the website using SSL and grabbing its (EE) certificate. If the nameserver of
       the domain allows zone tranfers (AXFR), an entire domain can be processed for all its A/AAAA records.

OPTIONS

       -n / --nameserver <hostname1>
	   Use specified nameserver for AXFR query

       -q / --quiet
	   Supress all warnings - useful when scanning lots of host where some do not run SSL

       --axfr
	   Use AXFR. Implies -n nameserver (or @nameserver). Hosts are treated as zones to AXFR.

       --tlsa
	   Output TLSA record from SSL server scan results (default)

       --eecert
	   Output TLSA record format EE certificates (type 1) (default)

       --pubkey
	   Output TLSA record for just the public key (type unassined) (not implemented yet)

       --txt
	   Output Kaminsky style TXT record for (not implemented yet)

       --cacert
	   Output TLSA record for the entire CA chain and EE-cert (not yet implemented)

       --sha256
	   Output TLSA record reference type 1 (SHA256) records (default)

       --sha512
	   Output TLSA record reference type 2 (SHA512) records

       --full
	   Output TLSA record reference type 0 (full cert) records

       --draft
	   Output Unknown Resource Record format with private RRTYPE assignment. This is used while the standard is still in draft form, and for
	   when your nameserver does not (yet) support the new RRTYPE names. This option is the default (if --rfc is not specified) as long as
	   dane is has not be released as RFC.

       --rfc
	   Specify records using the RRTYPE's TLSA (and HASTLA)

       --insecure
	   Continue scanning even if the A/AAAA records could not be validated using DNSSEC

       -4
	   Only use ipv4 networking - do not attempt to connect to AAAA SSL sites

       -6
	   Only use ipv6 networking - do not attempt to connect to A SSL sites

       -h / --help
	   Output help information and exit.

       -v / --version
	   Output version information and exit.

FILES

       ~/.ssh/known_hosts

REQUIREMENTS

       dane requires python-dns and python-argparse(http://www.pythondns.org)

       Fedora: yum install python-dns python-argparse

       Debian: apt-get install python-dnspython python-argparse

BUGS

       I'm sure there are

EXAMPLES

       typical usage:

       dane www.xelerance.com

       dane --rfc --sha512 www.xelerance.com

       dane --insecure --draft xelerance.com @ns0.xelerance.net

SEE ALSO

       sshfp(1) ssh(1) and RFC-XXXX

       http://www.xelerance.com/software/sshfp/

       http://lists.xelerance.com/mailman/listinfo/sshfp/

AUTHORS

       Paul Wouters <paul@xelerance.com>

COPYRIGHT

       Copyright 2011 Xelerance Corporation

       This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by
       the Free Software Foundation; either version 2 of the License, or (at your option) any later version. See
       <http://www.fsf.org/copyleft/gpl.txt>.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License (file COPYING in the distribution) for more
       details.

Paul Wouters							  April 12, 2011							   DANE(1)

dns(n)								Domain Name Service							    dns(n)

__________________________________________________________________________________________________________________________________________________

NAME

       dns - Tcl Domain Name Service Client

SYNOPSIS

       package require Tcl  8.2

       package require dns  ?1.3.3?

       ::dns::resolve query ?options?

       ::dns::configure ?options?

       ::dns::name token

       ::dns::address token

       ::dns::cname token

       ::dns::result token

       ::dns::status token

       ::dns::error token

       ::dns::reset token

       ::dns::wait token

       ::dns::cleanup token

       ::dns::nameservers

_________________________________________________________________

DESCRIPTION

       The  dns  package provides a Tcl only Domain Name Service client. You should refer to (1) and (2) for information about the DNS protocol or
       read resolver(3) to find out how the C library resolves domain names.  The intention of this package is to insulate Tcl scripts from  prob-
       lems  with  using  the system library resolver for slow name servers.  It may or may not be of practical use. Internet name resolution is a
       complex business and DNS is only one part of the resolver. You may find you are supposed to be using hosts files, NIS or WINS to name a few
       other systems. This package is not a substitute for the C library resolver - it does however implement name resolution over DNS.  The pack-
       age also extends the package uri to  support  DNS  URIs	(4)  of  the  form  dns:what.host.com  or  dns://my.nameserver/what.host.com.  The
       dns::resolve command can handle DNS URIs or simple domain names as a query.

       Note: The package defaults to using DNS over TCP connections. If you wish to use UDP you will need to have the tcludp package installed and
       have a version that correctly handles binary data (> 1.0.4).  This is available at http://tcludp.sourceforge.net/.  If the udp  package	is
       present then UDP will be used by default.

COMMANDS

       ::dns::resolve query ?options?
	      Resolve  a  domain  name	using  the DNS protocol. query is the domain name to be lookup up. This should be either a fully qualified
	      domain name or a DNS URI.

	      -nameserver hostname or -server hostname
		     Specify an alternative name server for this request.

	      -protocol tcp|udp
		     Specify the network protocol to use for this request. Can be one of tcp or udp.

	      -port portnum
		     Specify an alternative port.

	      -search domainlist

	      -timeout milliseconds
		     Override the default timeout.

	      -type TYPE
		     Specify the type of DNS record you are interested in. Valid values are A, NS, MD, MF, CNAME, SOA, MB, MG, MR, NULL, WKS, PTR,
		     HINFO,  MINFO,  MX,  TXT,	SPF,  SRV,  AAAA, AXFR, MAILB, MAILA and *.  See RFC1035 for details about the return values.  See
		     http://spf.pobox.com/ about SPF.  See (3) about AAAA records and RFC2782 for details of SRV records.

	      -class CLASS
		     Specify the class of domain name. This is usually IN but may be one of IN for internet domain names, CS, CH, HS or * for  any
		     class.

	      -recurse boolean
		     Set to false if you do not want the name server to recursively act upon your request. Normally set to true.

	      -command procname
		     Set a procedure to be called upon request completion. The procedure will be passed the token as its only argument.

       ::dns::configure ?options?
	      The  ::dns::configure command is used to setup the dns package. The server to query, the protocol and domain search path are all set
	      via this command. If no arguments are provided then a list of all the current settings is returned.  If only one	argument  then	it
	      must the the name of an option and the value for that option is returned.

	      -nameserver hostname
		     Set the default name server to be used by all queries. The default is localhost.

	      -protocol tcp|udp
		     Set the default network protocol to be used. Default is tcp.

	      -port portnum
		     Set the default port to use on the name server. The default is 53.

	      -search domainlist
		     Set the domain search list. This is currently not used.

	      -timeout milliseconds
		     Set the default timeout value for DNS lookups. Default is 30 seconds.

	      -loglevel level
		     Set  the  log  level  used  for  emitting diagnostic messages from this package. The default is warn. See the log package for
		     details of the available levels.

       ::dns::name token
	      Returns a list of all domain names returned as an answer to your query.

       ::dns::address token
	      Returns a list of the address records that match your query.

       ::dns::cname token
	      Returns a list of canonical names (usually just one) matching your query.

       ::dns::result token
	      Returns a list of all the decoded answer records provided for your query. This permits you to extract the result	for  more  unusual
	      query types.

       ::dns::status token
	      Returns the status flag. For a successfully completed query this will be ok. May be error or timeout or eof.  See also ::dns::error

       ::dns::error token
	      Returns  the  error  message  provided  for  requests  whose  status is error.  If there is no error message then an empty string is
	      returned.

       ::dns::reset token
	      Reset or cancel a DNS query.

       ::dns::wait token
	      Wait for a DNS query to complete and return the status upon completion.

       ::dns::cleanup token
	      Remove all state variables associated with the request.

       ::dns::nameservers
	      Attempts to return a list of the nameservers currently configured  for  the  users  system.  On  a  unix	machine  this  parses  the
	      /etc/resolv.conf	file  for  nameservers (if it exists) and on Windows systems we examine certain parts of the registry. If no name-
	      server can be found then the loopback address (127.0.0.1) is used as a default.

EXAMPLES

       % set tok [dns::resolve www.tcl.tk]
       ::dns::1
       % dns::status $tok
       ok
       % dns::address $tok
       199.175.6.239
       % dns::name $tok
       www.tcl.tk
       % dns::cleanup $tok

       Using DNS URIs as queries:

       % set tok [dns::resolve "dns:tcl.tk;type=MX"]
       % set tok [dns::resolve "dns://l.root-servers.net/www.tcl.tk"]

       Reverse address lookup:

       % set tok [dns::resolve 127.0.0.1]
       ::dns::1
       % dns::name $tok
       localhost
       % dns::cleanup $tok

REFERENCES

       [1]    Mockapetris, P., "Domain Names - Concepts and Facilities", RFC 1034, November 1987.  (http://www.ietf.org/rfc/rfc1034.txt)

       [2]    Mockapetris, P., "Domain Names - Implementation and Specification", RFC 1035, November 1087.  (http://www.ietf.org/rfc/rfc1035.txt)

       [3]    Thompson,   S.   and   Huitema,	C.,   "DNS   Extensions   to   support	 IP    version	  6",	 RFC	1886,	 December    1995.
	      (http://www.ietf.org/rfc/rfc1886.txt)

       [4]    Josefsson,  S.,  "Domain	Name  System  Uniform  Resource Identifiers", Internet-Draft, October 2003, (http://www.ietf.org/internet-
	      drafts/draft-josefsson-dns-url-09.txt)

       [5]    Gulbrandsen, A., Vixie, P. and Esibov, L., "A DNS RR for specifying the location of services (DNS SRV)", RFC  2782,  February  2000,
	      (http://www.ietf.org/rfc/rfc2782.txt)

       [6]    Ohta, M. "Incremental Zone Transfer in DNS", RFC 1995, August 1996, (http://www.ietf.org/rfc/rfc1995.txt)

AUTHORS

       Pat Thoyts

BUGS, IDEAS, FEEDBACK
       This  document,	and the package it describes, will undoubtedly contain bugs and other problems.  Please report such in the category dns of
       the Tcllib SF Trackers [http://sourceforge.net/tracker/?group_id=12883].  Please also report any ideas for enhancements you  may  have  for
       either package and/or documentation.

SEE ALSO

       resolver(5)

KEYWORDS

       DNS, domain name service, resolver, rfc 1034, rfc 1035, rfc 1886

COPYRIGHT

       Copyright (c) 2002, Pat Thoyts

dns								       1.3.3								    dns(n)