dane_raw_tlsa - Linux

Overview

dane_raw_tlsa is a Unix utility that aids in managing Transport Layer Security Authentication Name (TLSA) records stored in the Domain Name System (DNS). It verifies that a domain’s TLSA record matches the TLS certificate used by the corresponding website.

Syntax

dane_raw_tlsa [-a a] [-h] [-s hostname] [-p port] [-d domain] [-p protocol] [-q queries]

Options/Flags

• -a a Raw TLSA record (see RFC 6698)
• -h Display help and usage information
• -s hostname Hostname to connect to
• -p port Port to connect to (default: 443)
• -d domain The domain name to verify (default: hostname)
• -p protocol The protocol to use (default: tls)
• -q queries The queries to run (default: all)

Examples

• Verify the TLSA record for the website example.com:

dane_raw_tlsa -d example.com

• Verify the TLSA record for a specific hostname and port:

dane_raw_tlsa -s mail.example.com -p 25

• Verify all TLSA records for a domain:

dane_raw_tlsa -d example.com -q all

Common Issues

• Error connecting to server: Ensure that the specified hostname is correct and the port is open.
• No TLSA records found: The domain may not have any TLSA records configured.
• TLSA records do not match certificate: The TLS certificate used by the website may not match the TLSA records in the DNS.

Integration

dane_raw_tlsa can be used alongside other tools for TLS and DNS management, such as:

• openssl: To retrieve and inspect TLS certificates
• dig: To query DNS records
• bash: For scripting and automation

Related Commands

• dig: DNS record lookup utility
• openssl: TLS certificate management utility