ldns-dane - Online Linux Manual PageSection : 1
Updated : 17 September 2012
NAMEldns-dane − verify or create TLS authentication with DANE (RFC6698)
SYNOPSISldns-dane [OPTIONS] verify name port ldns-dane [OPTIONS] -t tlsafile verify ldns-dane [OPTIONS] name port create
          [ Certificate-usage [ Selector [ Matching-type ] ] ] ldns-dane -h ldns-dane -v
DESCRIPTIONIn the first form: A TLS connection to name:port is established. The TLSA resource record(s) for name are used to authenticate the connection. In the second form: The TLSA record(s) are read from tlsafile and used to authenticate the TLS service they reference. In the third form: A TLS connection to name:port is established and used to create the TLSA resource record(s) that would authenticate the connection. The parameters for TLSA rr creation are: Certificate-usage: CA constraint Service certificate constraint Trust anchor assertion Domain-issued certificate (default) Selector: Full certificate (default) SubjectPublicKeyInfo Matching-type: No hash used SHA-256 (default) SHA-512 In stead of numbers the first few letters of the value may be used. Except for the hash algorithm name, where the full name must be specified.
OPTIONS-4 TLS connect IPv4 only -6 TLS connect IPv6 only -a address Don't try to resolve name, but connect to address instead. This option may be given more than once. -b print "name. TYPE52 of TLSA presentation format. -c certfile Do not TLS connect to name:port, but authenticate (or make TLSA records) for the certificate (chain) in certfile instead. -d Assume DNSSEC validity even when the TLSA records were acquired insecure or were bogus. -f CAfile Use CAfile to validate. Default is /etc/pki/tls/certs/ca-bundle.trust.crt -h Print short usage help -i Interact after connecting. -k keyfile Specify a file that contains a trusted DNSKEY or DS rr. Key(s) are used when chasing signatures (i.e. -S is given). This option may be given more than once. Alternatively, if -k is not specified, and a default trust anchor (/var/lib/unbound/root.key) exists and contains a valid DNSKEY or DS record, it will be used as the trust anchor. -n Do not verify server name in certificate. -o offset When creating a "Trust anchor assertion" TLSA resource record, select the offsetth certificate offset from the end of the validation chain. 0 means the last certificate, 1 the one but last, 2 the second but last, etc. When offset is -1 (the default), the last certificate is used (like with 0) that MUST be self-signed. This can help to make sure that the intended (self signed) trust anchor is actually present in the server certificate chain (which is a DANE requirement). -p CApath Use certificates in the CApath directory to validate. Default is /etc/pki/tls/certs/ -s When creating TLSA resource records with the "CA Constraint" and the "Service Certificate Constraint" certificate usage, do not validate and assume PKIX is valid. For "CA Constraint" this means that verification should end with a self-signed certificate. -S Chase signature(s) to a known key. Without this option, the local network is trusted to provide a DNSSEC resolver (i.e. AD bit is checked). -t tlsafile Read TLSA record(s) from tlsafile. When name and port are also given, only TLSA records that match the name, port and transport are used. Otherwise the owner name of the TLSA record(s) will be used to determine name, port and transport. -u Use UDP transport instead of TCP. -v Show version and exit.
FILES/var/lib/unbound/root.key  The file from which trusted keys are loaded for signature chasing, when no -k option is given.
SEE ALSOunbound-anchor(8)
AUTHORWritten by the ldns team as an example for ldns usage.
REPORTING BUGSReport bugs to ldns-team@nlnetlabs.nl.
COPYRIGHTCopyright (C) 2012 NLnet Labs. This is free software. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. 0
Johanes Gumabo
Data Size   :   18,535 byte
man-ldns-dane.1Build   :   2024-12-05, 20:55   :  
Visitor Screen   :   x
Visitor Counter ( page / site )   :   3 / 193,733
Visitor ID   :     :  
Visitor IP   :   18.188.211.246   :  
Visitor Provider   :   AMAZON-02   :  
Provider Position ( lat x lon )   :   39.962500 x -83.006100   :   x
Provider Accuracy Radius ( km )   :   1000   :  
Provider City   :   Columbus   :  
Provider Province   :   Ohio ,   :   ,
Provider Country   :   United States   :  
Provider Continent   :   North America   :  
Visitor Recorder   :   Version   :  
Visitor Recorder   :   Library   :  
Online Linux Manual Page   :   Version   :   Online Linux Manual Page - Fedora.40 - march=x86-64 - mtune=generic - 24.12.05
Online Linux Manual Page   :   Library   :   lib_c - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Online Linux Manual Page   :   Library   :   lib_m - 24.10.03 - march=x86-64 - mtune=generic - Fedora.40
Data Base   :   Version   :   Online Linux Manual Page Database - 24.04.13 - march=x86-64 - mtune=generic - fedora-38
Data Base   :   Library   :   lib_c - 23.02.07 - march=x86-64 - mtune=generic - fedora.36
Very long time ago, I have the best tutor, Wenzel Svojanovsky . If someone knows the email address of Wenzel Svojanovsky , please send an email to johanes_gumabo@yahoo.co.id .
If error, please print screen and send to johanes_gumabo@yahoo.co.id
Under development. Support me via PayPal.