knsupdate: add advance options for TLS connections

author: Jan Hák <jan.hak@nic.cz> 2023-08-25 14:26:48 +0200
committer: Daniel Salzman <daniel.salzman@nic.cz> 2023-11-30 19:39:48 +0100
commit: 7d493550100ed63eb377bdb98d16f3083226d16d (patch)
tree: b761802864a7d4379dd5784da31e803b3edadabe /doc
parent: knsupdate: connect to server over QUIC (diff)
download: knot-7d493550100ed63eb377bdb98d16f3083226d16d.tar.xz
knot-7d493550100ed63eb377bdb98d16f3083226d16d.zip
2 files changed, 100 insertions, 46 deletions
diff --git a/doc/man/knsupdate.1in b/doc/man/knsupdate.1in
index 3aaf31aa5..503693bf7 100644
--- a/doc/man/knsupdate.1in
+++ b/doc/man/knsupdate.1in
@@ -32,7 +32,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
 knsupdate \- Dynamic DNS update utility
 .SH SYNOPSIS
 .sp
-\fBknsupdate\fP [\fIoptions\fP] [\fIfilename\fP]
+\fBknsupdate\fP [\fB\-v\fP] [\fIoptions\fP] [\fIfilename\fP]
+.sp
+\fBknsupdate\fP [\fB\-q\fP] [\fIquic_options\fP] [\fIoptions\fP] [\fIfilename\fP]
 .SH DESCRIPTION
 .sp
 This utility sends Dynamic DNS update messages to a DNS server. Update content
@@ -51,42 +53,67 @@ Path to the file with knsupdate commands.
 .SS Options
 .INDENT 0.0
 .TP
-\fB\-d\fP
-Enable debug messages.
-.TP
-\fB\-h\fP, \fB\-\-help\fP
-Print the program help.
+\fB\-v\fP, \fB\-\-tcp\fP
+Use a TCP connection.
 .TP
-\fB\-k\fP \fIkeyfile\fP
-Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
-file should contain the key in the same format, which is accepted by the
-\fB\-y\fP option.
+\fB\-q\fP, \fB\-\-quic\fP
+Use a QUIC connection.
 .TP
-\fB\-p\fP \fIport\fP
+\fB\-p\fP, \fB\-\-port\fP \fInumber\fP
 Set the port to use for connections to the server (if not explicitly specified
-in the update). The default is 53.
-.TP
-\fB\-q\fP
-Use a QUIC connection.
+in the update). The default is 53 for UDP/TCP or 853 for QUIC.
 .TP
-\fB\-r\fP \fIretries\fP
+\fB\-r\fP, \fB\-\-retry\fP \fIcount\fP
 The number of retries for UDP requests. The default is 3.
 .TP
-\fB\-t\fP \fItimeout\fP
+\fB\-t\fP, \fB\-\-timeout\fP \fIseconds\fP
 The total timeout (for all UDP update tries) of the update request in seconds.
 The default is 12. If set to zero, the timeout is infinite.
 .TP
-\fB\-v\fP
-Use a TCP connection.
+\fB\-y\fP, \fB\-\-tsig\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
+Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
+part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
+the shared secret encoded in Base64.
+.TP
+\fB\-k\fP, \fB\-\-tsigfile\fP \fIpath\fP
+Use the TSIG key stored in a file \fIkeyfile\fP to authenticate the request. The
+file should contain the key in the same format, which is accepted by the
+\fB\-y\fP option.
+.TP
+\fB\-d\fP, \fB\-\-debug\fP
+Enable debug messages.
+.TP
+\fB\-h\fP, \fB\-\-help\fP
+Print the program help.
 .TP
 \fB\-V\fP, \fB\-\-version\fP
 Print the program version. The option \fB\-VV\fP makes the program
 print the compile time configuration summary.
+.UNINDENT
+.SS QUIC options
+.INDENT 0.0
 .TP
-\fB\-y\fP [\fIalg\fP:]\fIname\fP:\fIkey\fP
-Use the TSIG key with a name \fIname\fP to authenticate the request. The \fIalg\fP
-part specifies the algorithm (the default is hmac\-sha256) and \fIkey\fP specifies
-the shared secret encoded in Base64.
+\fB\-H\fP, \fB\-\-hostname\fP \fIstring\fP
+Enable remote server hostname validation.
+.TP
+\fB\-\-pin\fP \fIbase64\fP
+Use Out\-of\-Band key\-pinned privacy profile
+(RFC 7858#section\-4.2). The PIN must be a Base64 encoded SHA\-256 hash of the
+X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+.TP
+\fB\-\-ca\fP \fIpath\fP
+Enable certificate validation. Certification authority certificates
+are loaded from the specified PEM file (default is system certificate storage
+if no argument is provided). Can be specified multiple times.
+.TP
+\fB\-\-certfile\fP \fIpath\fP
+Path to a client certificate file.
+.TP
+\fB\-\-keyfile\fP \fIpath\fP
+Path to a client key file.
+.TP
+\fB\-\-sni\fP \fIstring\fP
+Use specified Server Name Indication.
 .UNINDENT
 .SS Commands
 .INDENT 0.0
diff --git a/doc/man_knsupdate.rst b/doc/man_knsupdate.rst
index 8c17821d5..e8ce0bc15 100644
--- a/doc/man_knsupdate.rst
+++ b/doc/man_knsupdate.rst
@@ -6,7 +6,9 @@
 Synopsis
 --------
 
-:program:`knsupdate` [*options*] [*filename*]
+:program:`knsupdate` [**-v**] [*options*] [*filename*]
+
+:program:`knsupdate` [**-q**] [*quic_options*] [*options*] [*filename*]
 
 Description
 -----------
@@ -28,42 +30,67 @@ Parameters
 Options
 .......
 
-**-d**
-  Enable debug messages.
-
-**-h**, **--help**
-  Print the program help.
+**-v**, **--tcp**
+  Use a TCP connection.
 
-**-k** *keyfile*
-  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
-  file should contain the key in the same format, which is accepted by the
-  **-y** option.
+**-q**, **--quic**
+  Use a QUIC connection.
 
-**-p** *port*
+**-p**, **--port** *number*
   Set the port to use for connections to the server (if not explicitly specified
-  in the update). The default is 53.
-
-**-q**
-  Use a QUIC connection.
+  in the update). The default is 53 for UDP/TCP or 853 for QUIC.
 
-**-r** *retries*
+**-r**, **--retry** *count*
   The number of retries for UDP requests. The default is 3.
 
-**-t** *timeout*
+**-t**, **--timeout** *seconds*
   The total timeout (for all UDP update tries) of the update request in seconds.
   The default is 12. If set to zero, the timeout is infinite.
 
-**-v**
-  Use a TCP connection.
+**-y**, **--tsig** [*alg*:]\ *name*:*key*
+  Use the TSIG key with a name *name* to authenticate the request. The *alg*
+  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
+  the shared secret encoded in Base64.
+
+**-k**, **--tsigfile** *path*
+  Use the TSIG key stored in a file *keyfile* to authenticate the request. The
+  file should contain the key in the same format, which is accepted by the
+  **-y** option.
+
+**-d**, **--debug**
+  Enable debug messages.
+
+**-h**, **--help**
+  Print the program help.
 
 **-V**, **--version**
   Print the program version. The option **-VV** makes the program
   print the compile time configuration summary.
 
-**-y** [*alg*:]\ *name*:*key*
-  Use the TSIG key with a name *name* to authenticate the request. The *alg*
-  part specifies the algorithm (the default is hmac-sha256) and *key* specifies
-  the shared secret encoded in Base64.
+QUIC options
+............
+
+**-H**, **--hostname** *string*
+  Enable remote server hostname validation.
+
+**--pin** *base64*
+  Use Out-of-Band key-pinned privacy profile
+  (RFC 7858#section-4.2). The PIN must be a Base64 encoded SHA-256 hash of the
+  X.509 SubjectPublicKeyInfo. Can be specified multiple times.
+
+**--ca** *path*
+  Enable certificate validation. Certification authority certificates
+  are loaded from the specified PEM file (default is system certificate storage
+  if no argument is provided). Can be specified multiple times.
+
+**--certfile** *path*
+  Path to a client certificate file.
+
+**--keyfile** *path*
+  Path to a client key file.
+
+**--sni** *string*
+  Use specified Server Name Indication.
 
 Commands
 ........
author	Jan Hák <jan.hak@nic.cz>	2023-08-25 14:26:48 +0200
committer	Daniel Salzman <daniel.salzman@nic.cz>	2023-11-30 19:39:48 +0100
commit	7d493550100ed63eb377bdb98d16f3083226d16d (patch)
tree	b761802864a7d4379dd5784da31e803b3edadabe /doc
parent	knsupdate: connect to server over QUIC (diff)
download	knot-7d493550100ed63eb377bdb98d16f3083226d16d.tar.xz knot-7d493550100ed63eb377bdb98d16f3083226d16d.zip