summaryrefslogtreecommitdiff
path: root/doc
diff options
context:
space:
mode:
Diffstat (limited to 'doc')
-rw-r--r--doc/invoke-certtool.texi2
-rw-r--r--doc/invoke-danetool.texi41
2 files changed, 31 insertions, 12 deletions
diff --git a/doc/invoke-certtool.texi b/doc/invoke-certtool.texi
index c04c1d7f8e..ebdcdedcca 100644
--- a/doc/invoke-certtool.texi
+++ b/doc/invoke-certtool.texi
@@ -6,7 +6,7 @@
#
# DO NOT EDIT THIS FILE (invoke-certtool.texi)
#
-# It has been AutoGen-ed March 7, 2013 at 02:56:55 AM by AutoGen 5.16
+# It has been AutoGen-ed March 7, 2013 at 11:22:22 AM by AutoGen 5.16
# From the definitions ../src/certtool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
diff --git a/doc/invoke-danetool.texi b/doc/invoke-danetool.texi
index cb34077cd7..b063e56358 100644
--- a/doc/invoke-danetool.texi
+++ b/doc/invoke-danetool.texi
@@ -6,7 +6,7 @@
#
# DO NOT EDIT THIS FILE (invoke-danetool.texi)
#
-# It has been AutoGen-ed March 1, 2013 at 05:06:53 PM by AutoGen 5.16
+# It has been AutoGen-ed March 7, 2013 at 11:03:39 PM by AutoGen 5.16
# From the definitions ../src/danetool-args.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -66,7 +66,11 @@ USAGE: danetool [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
--ca Whether the provided certificate or public key is a Certificate
Authority.
--x509 Use the hash of the X.509 certificate, rather than the public key.
- --local The provided certificate or public key is a local entity.
+ --local This is an alias for 'domain'
+ - enabled by default
+ --domain The provided certificate or public key is issued by the local domain.
+ - disabled as --no-domain
+ - enabled by default
-v, --version[=arg] Output version information and exit
-h, --help Display extended usage information and exit
-!, --more-help Extended usage information passed thru pager
@@ -191,8 +195,22 @@ This option forces the generated record to contain the hash of the full X.509 ce
@anchor{danetool local}
@subsubheading local option
-This is the ``the provided certificate or public key is a local entity.'' option.
-DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. Use this flag if this is a local (and possibly unsigned) entity.
+This is an alias for the domain option,
+@pxref{danetool domain, the domain option documentation}.
+
+@anchor{danetool domain}
+@subsubheading domain option
+
+This is the ``the provided certificate or public key is issued by the local domain.'' option.
+
+@noindent
+This option has some usage constraints. It:
+@itemize @bullet
+@item
+is enabled by default.
+@end itemize
+
+DANE distinguishes certificates and public keys offered via the DNSSEC to trusted and local entities. This flag indicates that this is a domain-issued certificate, meaning that there could be no CA involved.
@anchor{danetool exit status}
@subsubheading danetool exit status
@@ -211,26 +229,27 @@ The operation failed or the command syntax was not valid.
@subsubheading danetool Examples
@subsubheading DANE TLSA RR generation
-To create a DANE TLSA resource record for a CA signed certificate use the following commands.
-
+To create a DANE TLSA resource record for a certificate (or public key)
+that was issued localy and may or may not be signed by a CA use the following command.
@example
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem
@end example
-For a self signed certificate use:
+To create a DANE TLSA resource record for a CA signed certificate, which will
+be marked as such use the following command.
@example
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
- --local
+ --no-domain
@end example
-The latter is useful to add in your DNS entry even if your certificate is signed
+The former is useful to add in your DNS entry even if your certificate is signed
by a CA. That way even users who do not trust your CA will be able to verify your
certificate using DANE.
-In order to create a record for the signer of your certificate use:
+In order to create a record for the CA signer of your certificate use the following.
@example
$ danetool --tlsa-rr --host www.example.com --load-certificate cert.pem \
- --ca
+ --ca --no-domain
@end example
To read a server's DANE TLSA entry, use: