{"id":19634092,"url":"https://github.com/raforg/danectl","last_synced_at":"2025-06-12T02:03:19.051Z","repository":{"id":43000749,"uuid":"399466700","full_name":"raforg/danectl","owner":"raforg","description":"DNSSEC DANE implementation manager","archived":false,"fork":false,"pushed_at":"2024-08-20T13:48:10.000Z","size":394,"stargazers_count":22,"open_issues_count":0,"forks_count":5,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-05T07:33:12.034Z","etag":null,"topics":["acme","certbot","dane","dns","dnssec","letsencrypt","openpgpkey","rfc-4255","rfc-6698","rfc-7671","rfc-7672","rfc-7929","rfc-8162","smimea","sshfp","ssl","tls","tlsa","tlsa-builder","tlsa-records"],"latest_commit_sha":null,"homepage":"https://raf.org/danectl","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/raforg.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-08-24T13:01:10.000Z","updated_at":"2024-08-20T13:48:15.000Z","dependencies_parsed_at":"2023-01-29T17:16:07.207Z","dependency_job_id":"d1ab8cde-7ae3-4b7e-a065-c6262f33776d","html_url":"https://github.com/raforg/danectl","commit_stats":null,"previous_names":[],"tags_count":19,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fdanectl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fdanectl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fdanectl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/raforg%2Fdanectl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/raforg","download_url":"https://codeload.github.com/raforg/danectl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251271116,"owners_count":21562494,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acme","certbot","dane","dns","dnssec","letsencrypt","openpgpkey","rfc-4255","rfc-6698","rfc-7671","rfc-7672","rfc-7929","rfc-8162","smimea","sshfp","ssl","tls","tlsa","tlsa-builder","tlsa-records"],"created_at":"2024-11-11T12:19:31.883Z","updated_at":"2025-04-28T07:31:09.122Z","avatar_url":"https://github.com/raforg.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# README\n\n*danectl* - DNSSEC DANE implementation manager\n\n# WHAT IS DANE?\n\n*DANE* is *DNS-based Authentication of Named Entities*. It means securely\nletting the world know in advance what your public encryption keys are by\npublishing them as DNS records (TLSA SSHFP OPENPGPKEY SMIMEA) in your\nDNSSEC-enabled internet domain zone. This is the simplest and most secure\nway to let the world know what keys to expect when connecting to your\nservers. This can apply to TLS keys, SSH host keys, and OpenPGP and S/MIME\nkeys. This makes it possible to prevent impersonation or man-in-the-middle\nattacks. It's mostly used with mail servers. Eventually, it could render\ncertificate authorities unnecessary. DNSSEC has become very easy these days.\n\n# INTRODUCTION\n\n*Danectl* is a DNSSEC DANE implementation manager. It uses *certbot* to create\nand manage pairs of keys for use with a TLSA 3 1 1 current + next workflow.\nIt generates TLSA records for your TLS services for you to publish in the DNS,\nchecks that they are correctly published, and performs key rollovers.\n\n*Danectl* can also generate and check SSHFP records for the local *SSH* server.\n\n*Danectl* can also generate and check an OPENPGPKEY record for a *GnuPG* key.\n\n*Danectl* can also generate and check an SMIMEA record for an S/MIME certificate.\n\n# DESCRIPTION\n\n*Danectl* lets you create a pair of *certbot* certificate lineages to be\nused with DANE-aware TLS clients. They are referred to as the \"original\" and\nthe \"duplicate\", or as the \"current\" and the \"next\".\n\n danectl new example.org www.example.org mail.example.org\n danectl dup example.org www.example.org mail.example.org\n\nThe current and next will repeatedly swap places between the original and\nthe duplicate certificate lineages as the key rolls over from one to the\nother (with a new \"next\" key being created after each rollover).\n\nIf you already have a *certbot* certificate lineage that you want to use with\nDANE, then instead of creating both certificate lineages, you can adopt the\nexisting one for DANE use, and then just create the duplicate.\n\n danectl adopt example.org\n danectl dup example.org www.example.org mail.example.org\n\nAfter that, *certbot* automatically renews both certificates every few months,\nbut the underlying keys won't change, and the TLSA records (see below) can\nremain stable.\n\nYou then configure *danectl* with the set of port/protocol/host combinations\nthat you need TLSA records for.\n\n danectl add-tlsa example.org _443._tcp _443._tcp.www\n danectl add-tlsa example.org _25._tcp.mail\n danectl add-tlsa example.org _465._tcp.mail _587._tcp.mail\n danectl add-tlsa example.org _110._tcp.mail _143._tcp.mail\n danectl add-tlsa example.org _993._tcp.mail _995._tcp.mail\n danectl del-tlsa example.org _110._tcp.mail _143._tcp.mail\n\n*Danectl* can then output the TLSA records, in *BIND9* zonefile format, and\nyou need to publish them in the DNS (somehow).\n\n danectl tlsa-current example.org\n danectl tlsa-next example.org\n\n*Danectl* can then check that the TLSA records have been published in the DNS.\n\n danectl tlsa-check example.org\n\nYou also need to configure *danectl* with the list of TLS services that need\nto be reloaded when the key rolls over.\n\n danectl add-reload example.org apache2 postfix dovecot\n danectl del-reload example.org postfix\n\nThis is needed even when *certbot* is configured to do it with deploy hooks,\nbecause those hooks are only run when a certificate is renewed. Service\nreloads also need to happen when there's a DANE key rollover, and that\ndoesn't necessarily happen at the same time as automatic *certbot*\ncertificate renewals.\n\nYou then need to configure your TLS services to use the \"current\"\ncertificate in /etc/letsencrypt/current, and then reload them. This is like\nfollowing instructions for using a certbot certificate, but replacing\n\"/etc/letsencrypt/live\" with \"/etc/letsencrypt/current\".\n\n Left as an exercise for the reader\n\nPeriodically, you can perform key rollovers on a schedule that suits you\n(e.g., annually). An emergency key rollover is exactly the same.\n\n danectl rollover example.org\n\nAt any time, you can show the status (which certificate lineages are\ncurrent, which are next, which new TLSA records are not yet published in the\nDNS, and which old TLSA records have not yet been removed from the DNS).\n\n danectl status\n\nIn addition to TLSA records, you can also generate SSHFP, OPENPGPKEY, and\nSMIMEA records, and check that they are published in the DNS.\n\n danectl sshfp example.org\n danectl sshfp-check example.org\n danectl openpgpkey user@example.org\n danectl openpgpkey-check user@example.org\n danectl smimea smimecert.pem\n danectl smimea-check smimecert.pem\n\n# INSTALL\n\nTo install `danectl`:\n\n tar xzf danectl-0.8.4.tar.gz\n cd danectl-0.8.4\n make install\n\nThis will install:\n\n /usr/local/bin/danectl\n /usr/local/bin/danectl-zonefile\n /usr/local/bin/danectl-nsupdate\n /usr/local/share/man/man1/danectl.1\n /usr/local/share/man/man1/danectl-zonefile.1\n /usr/local/share/man/man1/danectl-nsupdate.1\n\nTo install under `/usr` instead:\n\n make PREFIX=/usr install\n\nTo uninstall `danectl`:\n\n make uninstall\n\nSee `make help` for more details.\n\n# REQUIREMENTS\n\n`Danectl` is written in Bourne shell, and should work on any platform\nthat has the following prerequisites.\n\nIn all cases, `danectl` requires `/bin/sh` and `host` (or `drill`).\n\nOn systems like *Solaris*, `/usr/xpg4/bin/sh` is used instead of `/bin/sh`.\n\nFor TLSA usage, `danectl` also requires `ls`, `sed`, `grep`, `readlink`, `certbot`,\n`openssl`, `sha256sum`, and root privileges (for `certbot`).\n\nFor SSHFP usage, `danectl` also requires `sed`, `perl` and `ssh-keygen`.\n\nFor OPENPGPKEY usage, `danectl` also requires `perl` and `gpg`.\n\nFor SMIMEA usage, `danectl` also requires `perl` and `openssl`.\n\nFor non-ASCII domain names, `danectl` also requires *GNU* `idn2`.\n\nThe `danectl-zonefile` output adapter requires `perl`.\n\nThe `danectl-nsupdate` output adapter requires `perl`.\n\nFor reloading affected services on key rollover, any system with\n`systemctl`, `service`, `rcctl`, or service scripts in\n`/etc/init.d`, `/etc/rc.d`, or `/usr/local/etc/rc.d` should work\n(e.g., `Linux`, `FreeBSD`, `NetBSD`, `OpenBSD`, `Solaris`).\n\n--------------------------------------------------------------------------------\n\n URL: https://raf.org/danectl\n GIT: https://github.com/raforg/danectl\n GIT: https://codeberg.org/raforg/danectl\n Date: 20230718\n Author: raf \u003craf@raf.org\u003e\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraforg%2Fdanectl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fraforg%2Fdanectl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fraforg%2Fdanectl/lists"}