New Adventures in DNSSEC and DANE
gandi-tlsa-glue -- add TLSA DNS records to your Gandi DNS
gandi-tlsa-glue -- add TLSA records to Gandi domains
gandi-tlsa-glue [-dhv] [-i cert|csr] [-p port] [-t ttl] file ...
The gandi-tlsa-glue tool allows you to add TLSA records to your Gandi
managed DNS zones.
The following options are supported by gandi-tlsa-glue:
-d Don't do anything, just report what would be done.
-h Display help and exit.
-i cert|csr Specify whether the input file is a certificate or a CSR.
If not specified, default to 'cert'.
-p port The port for which to add the record. If not specified,
defaults to 443.
-t ttl The TTL for the TLSA record. If not specified, defaults to
-v Be verbose. Can be specified multiple times.
gandi-tlsa-glue expects input files to be x509 certificates in PEM for-
mat. For each input file, it will then extract all SANs, and for each
SAN generate a TLSA record and attempt to add the record to the Gandi DNS
zone for the domain the SAN is in.
The TLSA record will be of type "3 1 1"; that is, it will specify the
SHA-256 hash of the Subject Public Key of a Domain Issued Certificate.
The following invocations illustrate common usage of this tool.
To generate TLSA records for (the default) port 443 for all names found
in the certificate 'example.com.crt':
To verbosely generate TLSA records from the CSR for 'smtp.example.com'
for use with STARTTLS in an SMTP context (i.e., on port 25) with a TTL of
gandi-tlsa-glue -v -v -v -i csr -t 86400 -p 25 smtp.example.com.csr
The gandi-tlsa-glue utility exits 0 on success, and >0 if an error
The following environment variables affect the execution of this tool:
GANDI_API_KEY The API key to access the Gandi API.
You can retrieve this key from the "Security" section in
the account admin panel at https://account.gandi.net/.
openssl_req(1), openssl_rsa(1), openssl_x509(1),
gandi-tlsa-glue was originally written by Jan Schaumann
<email@example.com> in May 2019.
Please file bugs and feature requests by emailing the author.