diff --git a/mk-tlsa-recs b/mk-tlsa-recs index c21b85b..b4b7a29 100755 --- a/mk-tlsa-recs +++ b/mk-tlsa-recs @@ -1,13 +1,16 @@ #! /bin/bash -# @(#)(CAcert) $Id: mk-tlsa-recs,v 1.1 2015/12/09 10:37:58 root Exp $ +# @(#)(CAcert) $Id: mk-tlsa-recs,v 1.2 2019/04/02 15:37:17 root Exp $ # mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory +LDNS_DANE=/usr/bin/ldns-dane + PORT=443 # HTTPS USAGE=3 # 0: CA constraint # 1: Service certificate constraint # 2: Trust anchor assertion # 3: Domain-issued certificate +ALT_USAGE=2 SELECTOR=1 # 0: Full certificate # 1: SubjectPublicKeyInfo @@ -18,7 +21,11 @@ TYPE=1 # 0: No hash used for crt in certs/*.crt do + test -L ${crt} || continue DOMAIN=`basename ${crt} .crt` - /usr/local/bin/ldns-dane -c ${crt} create \ - ${DOMAIN} ${PORT} ${USAGE} ${SELECTOR} ${TYPE} + for usage in ${USAGE} ${ALT_USAGE} + do + ${LDNS_DANE} -c ${crt} create \ + ${DOMAIN} ${PORT} ${usage} ${SELECTOR} ${TYPE} + done done diff --git a/mk-tlsa-recs.log b/mk-tlsa-recs.log index 21f62b4..49806ca 100644 --- a/mk-tlsa-recs.log +++ b/mk-tlsa-recs.log @@ -1,16 +1,23 @@ RCS file: /var/opendnssec/unsigned/RCS/mk-tlsa-recs,v Working file: /var/opendnssec/unsigned/mk-tlsa-recs -head: 1.1 +head: 1.2 branch: locks: strict access list: symbolic names: keyword substitution: kv -total revisions: 1; selected revisions: 1 +total revisions: 2; selected revisions: 2 description: mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory ---------------------------- +revision 1.2 +date: 2019/04/02 15:37:17; author: root; state: Exp; lines: +10 -3 +Updates: +- use ldns-dane from /usr/bin (parametrized) +- only generate TLSA records for symlink'ed certificates +- generate both domain and trust anchor TLSA records +---------------------------- revision 1.1 date: 2015/12/09 10:37:58; author: root; state: Exp; Initial revision