1
<?xml version="1.0" encoding="ISO-8859-1"?>
2
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
3
"http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd">
4
<!-- lifted from troff+man by doclifter -->
6
<!-- Generated by db2man.xsl. Don't modify this, modify the source. -->
7
<!-- Sh listing suppressed (not used) -->
8
<!-- Sp listing suppressed (not used) -->
9
<!-- Ip listing suppressed (not used) -->
10
<!-- Ip reduced to IP -->
12
<refentrytitle>IPSEC LWDNSQ</refentrytitle>
13
<manvolnum>8</manvolnum>
15
<refnamediv id='name'>
16
<refname>lwdnsq</refname>
17
<refpurpose>lookup items in DNS to help pluto (and others)</refpurpose>
19
<!-- body begins here -->
20
<refsynopsisdiv id='synopsis'>
22
<command>ipsec</command> <arg choice='plain'><replaceable>lwdnsqlwdnsq</replaceable></arg>
23
<arg choice='opt'>--prompt </arg>
24
<arg choice='opt'>--serial </arg>
26
<arg choice='plain'><replaceable>ipseclwdnsqlwdnsq</replaceable></arg>
27
<arg choice='opt'>--help </arg>
33
<refsect1 id='description'><title>DESCRIPTION</title>
34
<para>The <emphasis remap='B'>ipsec lwdnsq</emphasis> is a helper program that does DNS lookups for other programs. It implements an asynchronous interface on stdin/stdout, with an ASCII driven command language.</para>
37
<para>If stdin is a tty or if the <option>--prompt</option> option is given, then it issues a prompt to the user. Otherwise, it is silent, except for results.</para>
40
<para>The program will accept multiple queries concurrently, with each result being marked with the ID provided on the output. The IDs are strings.</para>
43
<para>If the <option>--serial</option> option is given, then the program will not attempt to execute concurrent queries, but will serialize all input and output.</para>
47
<refsect1 id='query_language'><title>QUERY LANGUAGE</title>
48
<para>There are eleven command that the program understands. This is to lookup different types of records in both the forward and reverse maps. Every query includes a queryid, which is returned in the output, on every single line to identify the transaction.</para>
51
<refsect2 id='key_queryid_fqdn'><title>KEY queryid FQDN</title>
54
<para>This request looks up the KEY resource record for the given <emphasis remap='B'>FQDN.</emphasis>.</para>
58
<refsect2 id='key4_queryid_abcd'><title>KEY4 queryid A.B.C.D</title>
61
<para>This request looks up the KEY resource record found in the reverse map for the IP version 4 address <emphasis remap='B'>A.B.C.D</emphasis>, i.e. it looks up D.C.B.A.in-addr.arpa.</para>
65
<refsect2 id='key6_queryid_abcd'><title>KEY6 queryid A:B::C:D</title>
68
<para>This request looks up the KEY resource record found in the reverse map for the IPv6 address <emphasis remap='B'>A:B::C:D</emphasis>, i.e. it looks the 32-nibble long entry in ip6.arpa (and ip6.int).</para>
72
<refsect2 id='txt4_queryid_abcd'><title>TXT4 queryid A.B.C.D</title>
75
<para>This request looks up the TXT resource record found in the reverse map for the IP version 4 address <emphasis remap='B'>A.B.C.D</emphasis>, i.e. it looks up D.C.B.A.in-addr.arpa.</para>
79
<refsect2 id='txt6_queryid_abcd'><title>TXT6 queryid A:B::C:D</title>
82
<para>This request looks up the TXT resource record found in the reverse map for the IPv6 address <emphasis remap='B'>A:B::C:D</emphasis>, i.e. it looks the 32-nibble long entry in ip6.arpa (and ip6.int).</para>
86
<refsect2 id='key_queryid_fqdn2'><title>KEY queryid FQDN</title>
89
<para>This request looks up the IPSECKEY resource record for the given <emphasis remap='B'>FQDN.</emphasis>. See note about IPSECKEY processing, below.</para>
93
<refsect2 id='ipseckey4_queryid_abcd'><title>IPSECKEY4 queryid A.B.C.D</title>
96
<para>This request looks up the IPSECKEY resource record found in the reverse map for the IP version 4 address <emphasis remap='B'>A.B.C.D</emphasis>, i.e. it looks up D.C.B.A.in-addr.arpa. See special note about IPSECKEY processing, below.</para>
100
<refsect2 id='ipseckey6_queryid_abcd'><title>IPSECKEY6 queryid A:B::C:D</title>
103
<para>This request looks up the IPSECKEY resource record found in the reverse map for the IPv6 address <emphasis remap='B'>A:B::C:D</emphasis>, i.e. it looks the 32-nibble long entry in ip6.arpa (and ip6.int). See special note about IPSECKEY processing, below.</para>
107
<refsect2 id='oe4_queryid_abcd'><title>OE4 queryid A.B.C.D</title>
110
<para>This request looks an appropriate record for Opportunistic Encryption for the given IP address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE4 Directives, below), then a query type of ANY will be used to retrieve all relevant records, and all will be returned.</para>
114
<refsect2 id='oe6_queryid_abcd'><title>OE6 queryid A:B::C:D</title>
117
<para>This request looks an appropriate record for Opportunistic Encryption for the given IPv6 address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE Directives, below), then a query type of ALL will be used to retrieve all relevant records, and all will be returned. i.e. it looks the 32-nibble long entry in ip6.arpa (and ip6.int).</para>
121
<refsect2 id='a_queryid_fqdn'><title>A queryid FQDN</title>
124
<para>This request looks up the A (IPv4) resource record for the given <emphasis remap='B'>FQDN.</emphasis>.</para>
128
<refsect2 id='aaaa_queryid_fqdn'><title>AAAA queryid FQDN</title>
131
<para>This request looks up the AAAA (IPv6) resource record for the given <emphasis remap='B'>FQDN.</emphasis>.</para>
136
<refsect1 id='replies_to_queries'><title>REPLIES TO QUERIES</title>
137
<para>All replies from the queries are in the following format:</para>
139
<literallayout remap='.nf'>
141
<ID> <TIME> <TTL> <TYPE> <TYPE-SPECIFIC> \n
143
</literallayout> <!-- .fi -->
144
<variablelist remap='TP'>
146
<term><emphasis remap='I'>ID</emphasis></term>
148
<para>this is the <emphasis remap='B'>queryid</emphasis> value that was provided in the query. It is repeated on every line to permit the replies to be properly associated with the query. When the response is not ascribable to particular query (such as for a mis-formed query), then the query ID "0" will be used.</para>
153
<term><emphasis remap='I'>TIME</emphasis></term>
155
<para>this is the current time in seconds since epoch.</para>
160
<term><emphasis remap='I'>TTL</emphasis></term>
162
<para>for answers which have a time to live, this is the current value. The answer is valid for this number of seconds. If there is no useful value here, then the number 0 is used.</para>
167
<term><emphasis remap='I'>TYPE</emphasis></term>
169
<para>This is the type of the record that is being returned. The types are described in the next section. The TYPE specific data that follows is specific to the type.</para>
176
<para>The replies are limited to 4096 bytes, a value defined as <emphasis remap='B'>LWDNSQ_RESULT_LEN_MAX</emphasis>. This is defined in <emphasis remap='I'>freeswan.h</emphasis>.</para>
179
<para>All of the replies which include resource records use the standard presentation format (with no line feeds or carriage returns) in their answer.</para>
182
<refsect2 id='start'><title>START</title>
185
<para>This reply indicates that a query has been received and has been started. It serves as an anchor point for timing, as well as an acknowledgement.</para>
189
<refsect2 id='done'><title>DONE</title>
192
<para>This reply indicates that a query is entirely over, and no further information from this query will be sent.</para>
196
<refsect2 id='retry'><title>RETRY</title>
199
<para>This reply indicates that a query is entirely over, but that no data was found. The records may exist, but appropriate servers could not be reached.</para>
203
<refsect2 id='fatal'><title>FATAL</title>
206
<para>This reply indicates that a query is entirely over, and that no data of the type requested could be found. There were no timeouts, and all servers were available and confirmed non-existances. There may be NXT records returned prior to this.</para>
210
<refsect2 id='cname'><title>CNAME</title>
213
<para>This is an interim reply, and indicates that a CNAME was found (and followed) while performing the query. The value of the CNAME is present in the type specific section.</para>
217
<refsect2 id='cnamefrom'><title>CNAMEFROM</title>
220
<para>This is an interim reply, and indicates that a CNAME was found. The original name that was queries for was not the canonical name, and this reply indicates the name that was actually followed.</para>
224
<refsect2 id='name2'><title>NAME</title>
227
<para>This is an interim reply. The original name that was queries for was not the canonical name. This reply indicates the canonical name.</para>
231
<refsect2 id='dnssec'><title>DNSSEC</title>
234
<para>This is an interim reply. It is followed either by "OKAY" or "not present. It indicates if DNSSEC was available on the reply.</para>
238
<refsect2 id='txt_and_adtxt'><title>TXT and AD-TXT</title>
241
<para>This is an interim reply. If there are TXT resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
245
<refsect2 id='a_and_ada'><title>A and AD-A</title>
248
<para>This is an interim reply. If there are A resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
252
<refsect2 id='aaaa_and_adaaaa'><title>AAAA and AD-AAAA</title>
255
<para>This is an interim reply. If there are AAAA resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
259
<refsect2 id='ptr_and_adptr'><title>PTR and AD-PTR</title>
262
<para>This is an interim reply. If there are PTR resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
266
<refsect2 id='key_and_adkey'><title>KEY and AD-KEY</title>
269
<para>This is an interim reply. If there are KEY resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
273
<refsect2 id='ipseckey_and_adipseckey'><title>IPSECKEY and AD-IPSECKEY</title>
276
<para>This is an interim reply. If there are IPSEC resource records in the reply, then each one is presented using this type. If preceeded by AD-, then this record was signed with DNSSEC.</para>
281
<refsect1 id='special_ipseckey_processing'><title>SPECIAL IPSECKEY PROCESSING</title>
282
<para>At the time of this writing, the IPSECKEY resource record is not entirely specified. In particular no resource record number has been assigned. This program assumes that it is resource record number 45. If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like</para>
284
<literallayout remap='.nf'>
286
ipseckey_rr=<emphasis remap='B'>number</emphasis>
288
</literallayout> <!-- .fi -->
289
<para> then this number will be used instead. The file is read only once at startup.</para>
293
<refsect1 id='oe_directives'><title>OE DIRECTIVES</title>
294
<para>If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like</para>
296
<literallayout remap='.nf'>
300
</literallayout> <!-- .fi -->
301
<para> then instead of doing an ALL query when looking for OE delegation records, lwdnsq will do a series of queries. It will first look for IPSECKEY, and then TXT record. If it finds neither, it will then look for KEY records of all kinds, although they do not contain delegation information.</para>
305
<refsect1 id='special_ipseckey_processing2'><title>SPECIAL IPSECKEY PROCESSING</title>
306
<literallayout remap='.nf'>
308
/etc/ipsec.d/lwdnsq.conf
310
</literallayout> <!-- .fi -->
314
<refsect1 id='author'><title>AUTHOR</title>
315
<para>Michael Richardson <mcr@sandelman.ottawa.on.ca>.</para>