diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-01 16:54:12 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2013-03-01 17:28:24 +0100 |
commit | e83a184c54c9c705306ba4941f5600620cd3b597 (patch) | |
tree | ad1b81e90b02f83e0f3615dd579c36722c1a0523 /doc | |
parent | 754daa7f4fe9dc125c9de24e60e16b7c9c431131 (diff) | |
download | gnutls-e83a184c54c9c705306ba4941f5600620cd3b597.tar.gz |
Added verify flags for DANE to enforce verification and restrict it to a field.
Diffstat (limited to 'doc')
-rw-r--r-- | doc/invoke-danetool.texi | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi index 0aa41ebeba..cb34077cd7 100644 --- a/doc/invoke-danetool.texi +++ b/doc/invoke-danetool.texi @@ -6,7 +6,7 @@ # # DO NOT EDIT THIS FILE (invoke-danetool.texi) # -# It has been AutoGen-ed January 18, 2013 at 06:50:16 PM by AutoGen 5.16 +# It has been AutoGen-ed March 1, 2013 at 05:06:53 PM by AutoGen 5.16 # From the definitions ../src/danetool-args.def # and the template file agtexi-cmd.tpl @end ignore @@ -49,6 +49,8 @@ USAGE: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --dlv=str Sets a DLV file --hash=str Hash algorithm to use for signing. --check=str Check a host's DANE TLSA entry. + --check-ee Check only the end-entity's certificate. + --check-ca Check only the CA's certificate. --insecure Do not verify any DNSSEC signature. --local-dns Use the local DNS server for DNSSEC resolving. - disabled as --no-local-dns @@ -115,7 +117,17 @@ Available hash functions are SHA1, RMD160, SHA256, SHA384, SHA512. This is the ``check a host's dane tlsa entry.'' option. This option takes an argument string. -Obtains the DANE TLSA entry from the given hostname and prints information. +Obtains the DANE TLSA entry from the given hostname and prints information. Note that the actual certificate of the host has to be provided using --load-certificate. +@anchor{danetool check-ee} +@subsubheading check-ee option + +This is the ``check only the end-entity's certificate.'' option. +Checks the end-entity's certificate only. Trust anchors or CAs are not considered. +@anchor{danetool check-ca} +@subsubheading check-ca option + +This is the ``check only the ca's certificate.'' option. +Checks the trust anchor's and CA's certificate only. End-entities are not considered. @anchor{danetool insecure} @subsubheading insecure option |