danectl 0.8.4

danectl - DNSSEC DANE implementation manager. What's DNSSEC? Secure DNS that you can trust. It has become really easy lately. What's DANE? Publishing your TLS keys as secure DNS records (TLSA SSHFP OPENPGPKEY SMIMEA) to prevent impersonation or man-in-the-middle attacks. It could eventually render certificate authorities unnecessary. Currently, it's mostly used for mail servers that want to stop anyone intercepting their incoming email. But the idea also applies to SSH host keys, and OpenPGP and S/MIME keys. Danectl makes it easy to create TLSA, SSHFP, OPENPGKEY, and SMIMEA DNS records, (maybe) helps you publish them, and monitors that they are correctly published. And for TLS keys, it performs safe, reliable, instant key rollovers. Detail: It uses certbot to create and manage pairs of keys for use with a TLSA 3 1 1 current + next workflow. Danectl can also generate and monitor SSHFP records for the local SSH server, OPENPGPKEY records for GnuPG keys, and SMIMEA records for S/MIME certificates.

Tags dnssec dane tls tlsa sshfp mail-transport-agent darwin macos posix freebsd netbsd openbsd linux solaris system-administrators
License GNU GPL
State stable

Recent Releases

0.8.415 Oct 2023 13:44 minor feature: - doc - Add WHAT IS DANE? section - Add _ to set of DNS name chars that don't require idn2 - rollover - Divert certbot stdout to stderr to aid output adapters - Prevent premature rollover (refuse if tlsa-check would fail) - Terminate danectl when `idna` in subprocess requires idn2 but fails to find it - Makefile - Add make help (default)
0.8.306 Jun 2023 11:42 minor feature: - Add --group option for different certbot configurations for different domains - Add danectl-zonefile (output adapter for modifying BIND9 zonefiles) - Add danectl-nsupdate (output adapter for BIND9 dynamic DNS updates) - Add support for Unicode domain names - Fix support for Unicode email addresses in S/MIME certificates - Add support for drill on systems like Arch that prefer it to host