Skip to content
add TLSA records to Gandi domains
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
doc
src
README.md

README.md

New Adventures in DNSSEC and DANE

gandi-tlsa-glue -- add TLSA DNS records to your Gandi DNS

NAME
     gandi-tlsa-glue -- add TLSA records to Gandi domains

SYNOPSIS
     gandi-tlsa-glue [-dhv] [-i cert|csr] [-p port] [-t ttl] file ...

DESCRIPTION
     The gandi-tlsa-glue tool allows you to add TLSA records to your Gandi
     managed DNS zones.

OPTIONS
     The following options are supported by gandi-tlsa-glue:

     -d		  Don't do anything, just report what would be done.

     -h		  Display help and exit.

     -i cert|csr  Specify whether the input file is a certificate or a CSR.
		  If not specified, default to 'cert'.

     -p port	  The port for which to add the record.	 If not specified,
		  defaults to 443.

     -t ttl	  The TTL for the TLSA record.	If not specified, defaults to
		  3600.

     -v		  Be verbose.  Can be specified multiple times.

DETAILS
     gandi-tlsa-glue expects input files to be x509 certificates in PEM for-
     mat.  For each input file, it will then extract all SANs, and for each
     SAN generate a TLSA record and attempt to add the record to the Gandi DNS
     zone for the domain the SAN is in.

     The TLSA record will be of type "3 1 1"; that is, it will specify the
     SHA-256 hash of the Subject Public Key of a Domain Issued Certificate.

EXAMPLES
     The following invocations illustrate common usage of this tool.

     To generate TLSA records for (the default) port 443 for all names found
     in the certificate 'example.com.crt':

	   gandi-tlsa-glue example.com.crt

     To verbosely generate TLSA records from the CSR for 'smtp.example.com'
     for use with STARTTLS in an SMTP context (i.e., on port 25) with a TTL of
     24 hours:

	   gandi-tlsa-glue -v -v -v -i csr -t 86400 -p 25 smtp.example.com.csr

EXIT STATUS
     The gandi-tlsa-glue utility exits 0 on success, and >0 if an error
     occurs.

ENVIRONMENT
     The following environment variables affect the execution of this tool:

     GANDI_API_KEY  The API key to access the Gandi API.

		    You can retrieve this key from the "Security" section in
		    the account admin panel at https://account.gandi.net/.

SEE ALSO
     openssl_req(1), openssl_rsa(1), openssl_x509(1),
     http://doc.livedns.gandi.net/

HISTORY
     gandi-tlsa-glue was originally written by Jan Schaumann
     <jschauma@netmeister.org> in May 2019.

BUGS
     Please file bugs and feature requests by emailing the author.
You can’t perform that action at this time.