summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-02-17 21:08:57 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-02-18 11:41:40 -0500
commit82d1d24093e2f17cc6550e8f16be85fa4376c182 (patch)
treeeefe51390a9c2e8c7349587b234367bfac061f89 /man
parent5259c0559c8c0fe6ec54ac20f452fd7d106188c3 (diff)
systemd-resolve: easy querying of TLSA records
$ systemd-resolve --tlsa fedoraproject.org _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256 $ systemd-resolve --tlsa=tcp fedoraproject.org:443 _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= ... $ systemd-resolve --tlsa=udp fedoraproject.org _443._udp.fedoraproject.org: resolve call failed: '_443._udp.fedoraproject.org' not found v2: - use uint16_t - refuse port 0
Diffstat (limited to 'man')
-rw-r--r--man/systemd-resolve.xml40
1 files changed, 39 insertions, 1 deletions
diff --git a/man/systemd-resolve.xml b/man/systemd-resolve.xml
index c288fd974e..320663ce69 100644
--- a/man/systemd-resolve.xml
+++ b/man/systemd-resolve.xml
@@ -86,6 +86,13 @@
<cmdsynopsis>
<command>systemd-resolve</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
+ <command> --tlsa</command>
+ <arg choice="plain"><replaceable>DOMAIN<optional>:PORT</optional></replaceable></arg>
+ </cmdsynopsis>
+
+ <cmdsynopsis>
+ <command>systemd-resolve</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
<command> --statistics</command>
</cmdsynopsis>
@@ -121,10 +128,15 @@
is assumed to be a domain name, that is already prefixed with an SRV type, and an SRV lookup is done (no
TXT).</para>
- <para>The <option>--openpgp</option> switch may be use to query PGP keys stored as the
+ <para>The <option>--openpgp</option> switch may be used to query PGP keys stored as
<ulink url="https://tools.ietf.org/html/draft-wouters-dane-openpgp-02">OPENPGPKEY</ulink> resource records.
When this option is specified one or more e-mail address must be specified.</para>
+ <para>The <option>--tlsa</option> switch maybe be used to query TLS public
+ keys stored as
+ <ulink url="https://tools.ietf.org/html/rfc6698">TLSA</ulink> resource records.
+ When this option is specified one or more domain names must be specified.</para>
+
<para>The <option>--statistics</option> switch may be used to show resolver statistics, including information about
the number of successful and failed DNSSEC validations.</para>
@@ -217,6 +229,20 @@
</varlistentry>
<varlistentry>
+ <term><option>--tlsa</option></term>
+
+ <listitem><para>Enables TLSA resource record resolution (see above).
+ A query will be performed for each of the specified names prefixed with
+ the port and family
+ (<literal>_<replaceable>port</replaceable>._<replaceable>family</replaceable>.<replaceable>domain</replaceable></literal>).
+ The port number may be specified after a colon
+ (<literal>:</literal>), otherwise <constant>443</constant> will be used
+ by default. The family may be specified as an argument after
+ <option>--tlsa</option>, otherwise <constant>tcp</constant> will be
+ used.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><option>--cname=</option><replaceable>BOOL</replaceable></term>
<listitem><para>Takes a boolean parameter. If true (the default), DNS CNAME or DNAME redirections are
@@ -325,6 +351,18 @@ d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproje
...
</programlisting>
</example>
+
+ <example>
+ <title>Retrieve a TLS key (<literal>=tcp</literal> and
+ <literal>:443</literal> could be skipped)</title>
+
+ <programlisting>$ systemd-resolve --tlsa=tcp fedoraproject.org:443
+_443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A=
+ -- Cert. usage: CA constraint
+ -- Selector: Full Certificate
+ -- Matching type: SHA-256
+</programlisting>
+ </example>
</refsect1>
<refsect1>