66
77* Danectl* is a DNSSEC DANE implementation manager. It uses * certbot* to create
88and manage pairs of keys for use with a TLSA 3 1 1 current + next workflow.
9- It generates TLSA records for your TLS services for you to publish to the DNS,
9+ It generates TLSA records for your TLS services for you to publish in the DNS,
1010checks that they are correctly published, and performs key rollovers.
1111
1212* Danectl* can also generate and check SSHFP records for the local * SSH* server.
@@ -19,14 +19,15 @@ checks that they are correctly published, and performs key rollovers.
1919
2020Danectl lets you create a pair of certbot certificate lineages to be used
2121with DANE-aware TLS clients. They are referred to as the "original" and the
22- "duplicate", or as the "current" and the "next". The current and next will
23- repeatedly swap places between the original and the duplicate certificate
24- lineages as the key rolls over from one to the other (with a new "next" key
25- being created after each rollover).
22+ "duplicate", or as the "current" and the "next".
2623
2724 danectl new example.org www.example.org mail.example.org
2825 danectl dup example.org www.example.org mail.example.org
2926
27+ The current and next will repeatedly swap places between the original and
28+ the duplicate certificate lineages as the key rolls over from one to the
29+ other (with a new "next" key being created after each rollover).
30+
3031If you already have a certbot certificate lineage that you want to use with
3132DANE, then instead of creating both certificate lineages, you can adopt the
3233existing one for DANE use, and then just create the duplicate.
@@ -35,25 +36,26 @@ existing one for DANE use, and then just create the duplicate.
3536 danectl dup example.org www.example.org mail.example.org
3637
3738After that, certbot automatically renews both certificates every few months,
38- but the underlying keypairs won't change, and the TLSA records (see below)
39- can remain stable.
39+ but the underlying keys won't change, and the TLSA records (see below) can
40+ remain stable.
4041
4142You then configure danectl with the set of port/protocol/host combinations
4243that you need TLSA records for.
4344
4445 danectl add-tlsa example.org _443._tcp _443._tcp.www
45- danectl add-tlsa example.org _25._tcp.mail _465._tcp.mail _587._tcp.mail
46+ danectl add-tlsa example.org _25._tcp.mail
47+ danectl add-tlsa example.org _465._tcp.mail _587._tcp.mail
4648 danectl add-tlsa example.org _110._tcp.mail _143._tcp.mail
4749 danectl add-tlsa example.org _993._tcp.mail _995._tcp.mail
4850 danectl del-tlsa example.org _110._tcp.mail _143._tcp.mail
4951
5052Danectl can then output the TLSA records, in zonefile format, and you need
51- to publish them to the DNS (somehow).
53+ to publish them in the DNS (somehow).
5254
5355 danectl tlsa-current example.org
5456 danectl tlsa-next example.org
5557
56- Danectl can then check that the TLSA records have been published to the DNS.
58+ Danectl can then check that the TLSA records have been published in the DNS.
5759
5860 danectl tlsa-check example.org
5961
@@ -71,8 +73,8 @@ renewals.
7173
7274You then need to configure your TLS services to use the "current"
7375certificate in /etc/letsencrypt/current, and then reload them. This is like
74- following instructions for using a certbot certificate, but replacing "live"
75- with "current".
76+ following instructions for using a certbot certificate, but replacing
77+ "/etc/letsencrypt/live" with "/etc/letsencrypt/ current".
7678
7779 Left as an exercise for the reader
7880
@@ -82,13 +84,13 @@ Periodically, you can perform key rollovers on a schedule that suits you
8284 danectl rollover example.org
8385
8486At any time, you can show the status (which certificate lineages are
85- current, which are next, which new TLSA records are not yet published to the
87+ current, which are next, which new TLSA records are not yet published in the
8688DNS, and which old TLSA records have not yet been removed from the DNS).
8789
8890 danectl status
8991
9092In addition to TLSA records, you can also generate SSHFP, OPENPGPKEY, and
91- SMIMEA records, and check that they are published to the DNS.
93+ SMIMEA records, and check that they are published in the DNS.
9294
9395 danectl sshfp example.org
9496 danectl sshfp-check example.org
0 commit comments