forked from critical/dns-zones
Updates for mk-tlsa-recs script:
- use ldns-dane from /usr/bin (parametrized) - only generate TLSA records for symlink'ed certificates - generate both domain and trust anchor TLSA records git-svn-id: http://svn.cacert.org/CAcert/SystemAdministration/ns/var/opendnssec/unsigned@2728 14b1bab8-4ef6-0310-b690-991c95c89dfd
This commit is contained in:
wytze@deboca.net
parent
ef022f1e09
commit
e4637553b6
2 changed files with 19 additions and 5 deletions
13
mk-tlsa-recs
13
mk-tlsa-recs
|
|
@ -1,13 +1,16 @@
|
||||||
#! /bin/bash
|
#! /bin/bash
|
||||||
# @(#)(CAcert) $Id: mk-tlsa-recs,v 1.1 2015/12/09 10:37:58 root Exp $
|
# @(#)(CAcert) $Id: mk-tlsa-recs,v 1.2 2019/04/02 15:37:17 root Exp $
|
||||||
# mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory
|
# mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory
|
||||||
|
|
||||||
|
LDNS_DANE=/usr/bin/ldns-dane
|
||||||
|
|
||||||
PORT=443 # HTTPS
|
PORT=443 # HTTPS
|
||||||
|
|
||||||
USAGE=3 # 0: CA constraint
|
USAGE=3 # 0: CA constraint
|
||||||
# 1: Service certificate constraint
|
# 1: Service certificate constraint
|
||||||
# 2: Trust anchor assertion
|
# 2: Trust anchor assertion
|
||||||
# 3: Domain-issued certificate
|
# 3: Domain-issued certificate
|
||||||
|
ALT_USAGE=2
|
||||||
|
|
||||||
SELECTOR=1 # 0: Full certificate
|
SELECTOR=1 # 0: Full certificate
|
||||||
# 1: SubjectPublicKeyInfo
|
# 1: SubjectPublicKeyInfo
|
||||||
|
|
@ -18,7 +21,11 @@ TYPE=1 # 0: No hash used
|
||||||
|
|
||||||
for crt in certs/*.crt
|
for crt in certs/*.crt
|
||||||
do
|
do
|
||||||
|
test -L ${crt} || continue
|
||||||
DOMAIN=`basename ${crt} .crt`
|
DOMAIN=`basename ${crt} .crt`
|
||||||
/usr/local/bin/ldns-dane -c ${crt} create \
|
for usage in ${USAGE} ${ALT_USAGE}
|
||||||
${DOMAIN} ${PORT} ${USAGE} ${SELECTOR} ${TYPE}
|
do
|
||||||
|
${LDNS_DANE} -c ${crt} create \
|
||||||
|
${DOMAIN} ${PORT} ${usage} ${SELECTOR} ${TYPE}
|
||||||
|
done
|
||||||
done
|
done
|
||||||
|
|
|
||||||
|
|
@ -1,16 +1,23 @@
|
||||||
|
|
||||||
RCS file: /var/opendnssec/unsigned/RCS/mk-tlsa-recs,v
|
RCS file: /var/opendnssec/unsigned/RCS/mk-tlsa-recs,v
|
||||||
Working file: /var/opendnssec/unsigned/mk-tlsa-recs
|
Working file: /var/opendnssec/unsigned/mk-tlsa-recs
|
||||||
head: 1.1
|
head: 1.2
|
||||||
branch:
|
branch:
|
||||||
locks: strict
|
locks: strict
|
||||||
access list:
|
access list:
|
||||||
symbolic names:
|
symbolic names:
|
||||||
keyword substitution: kv
|
keyword substitution: kv
|
||||||
total revisions: 1; selected revisions: 1
|
total revisions: 2; selected revisions: 2
|
||||||
description:
|
description:
|
||||||
mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory
|
mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory
|
||||||
----------------------------
|
----------------------------
|
||||||
|
revision 1.2
|
||||||
|
date: 2019/04/02 15:37:17; author: root; state: Exp; lines: +10 -3
|
||||||
|
Updates:
|
||||||
|
- use ldns-dane from /usr/bin (parametrized)
|
||||||
|
- only generate TLSA records for symlink'ed certificates
|
||||||
|
- generate both domain and trust anchor TLSA records
|
||||||
|
----------------------------
|
||||||
revision 1.1
|
revision 1.1
|
||||||
date: 2015/12/09 10:37:58; author: root; state: Exp;
|
date: 2015/12/09 10:37:58; author: root; state: Exp;
|
||||||
Initial revision
|
Initial revision
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue