dane_query_entries - Linux
Overview
The dane_query_entries
command queries a DNSSEC-enabled domain name system (DNS) to retrieve Domain Name System Security Extensions (DNSSEC) Authenticated Name Entries (ANEs) and Certificate Authorities (CAs). It’s used to verify the authenticity and integrity of DNS records by comparing them against the trusted DNSSEC root zone.
Syntax
dane_query_entries [-v] [-d] [-n] [-t TYPE] [-e EXPR] [NAME]
Options/Flags
-v
: Prints verbose output with additional information.-d
: Prints delegating name servers (NS) records.-n
: Prints raw TLSA and CAA records instead of ANEs.-t TYPE
: Specifies the type of record to query (e.g.,_443._tcp.example.com
).-e EXPR
: Specifies a filtering expression (e.g.,port=443
).
Examples
Query for all ANEs in example.com
dane_query_entries example.com
Query for _443._tcp.example.com
ANE
dane_query_entries -t _443._tcp example.com
Query for CAA records with *.example.com
dane_query_entries -n *_tcp.example.com
Common Issues
- No ANEs found: Check if the queried domain is DNSSEC-enabled and has valid ANEs configured.
- Inconsistent results: Make sure to use a DNSSEC-validating resolver.
Integration
dane_query_entries
integrates with other tools:
- dnssec-trigger: Monitor DNSSEC changes.
- dnssec-update: Update DNSSEC records.
Related Commands
dig
: Query DNS records.dnssec-keygen
: Generate DNSSEC keys.- DNSSEC Validator: Validate DNSSEC records.