convertar - Man Page
Converts trust anchor repositories from one format to another
Description
convertar operates on input and output files of different Trust Anchor Repository (TAR) formats. convertar decides what type of file format is being referred to by a "type:filename" specification. Options can be passed to the convertar module by using a '/' delimited specifier in the type identifier. Such as "type/option=value/other=othervalue:filename". See below for a list of different input and output formats that convertar understands by default and what options they take.
See the Net::DNS::SEC::Tools::TrustAnchor module and its documentation for writing new plugins to allow convertar to understand other TAR formats.
Examples
This command will read in an itar.xml file (available from https://itar.iana.org/) and convert it to a file that can be read in by BIND's named application:
# convertar -i itar:itar.xml -o bind:bind.conf
Read in multiple files, merge them together and write them out to two different output file formats (the libval format is printed to stdout):
# convertar -i itar:itar.xml,csv:local.csv -o bind:bind.conf,libval:-
File Specification Conventions
Types and files (e.g. for the -i and -o switches) are specificied using the following format:
type:/path/to/file
The type portion of the specification dictates what internal module will attempt to read in the file. The file portion of the specification may or may not be required (but the ':' always is) and may or may not point to a real file, depending on the module in charge of the content. Some modules may, for exmaple, load content from the network. For types that can read and write to a file, a '-' may be specified as a file to print to or read from standard output.
File formats MAY be infered from a trailing suffix, if the trailing suffix. EG, if a referenced file is foo.csv then internally convertar will translate this to "csv:foo.csv".
File Formats
The following file formats are known by default to convertar:
- bind
A BIND name server (named) compatible trust anchor configuration file. This can be included within a master named.conf file using the "include" directive.
The bind option can also take a /write_expectations=1 flag when writing to write an options {} section that will turn on dnssec and require validation for zones from all the imported data.
E.G. bind/write_expectations=1:named.conf
- secspider
This is merely an alias that fetches the specspider (http://secspider.cs.ucla.edu/) bind configuration file and then parse it using the bind file format.
WARNING: The PGP signature on the downloaded file is NOT checked.
- csv
A comma-separated list format.
- dump
A Perl hash dump format. This should be used mostly for debugging of newly developed modules as it shows the internal hash structure that is passed between modules.
- itar
IANA's itar format, which is an XML-based format of trust anchor keys. IANA's file is available from https://itar.iana.org/.
Specifying only 'itar:' line only (or itar:URL), convertar will attempt to retrieve the current remote ITAR respository file directly.
WARNING: The PGP signature on the downloaded file is NOT checked.
NOTE: support for downloading the ITAR repository over the network requires the LWP::UserAgent module to be installed.
- libval
The libval format is the configuration file format that DNSSEC-Tool's libval library uses.
The libval option can also take a /write_expectations=1 flag when writing to specify that the default (:) zone-security-expectation's should be populated to require validation of all the zones with imported data. All other zones will have a policy set to 'ignore.
E.G. libval/write_expectations=1:dnsval.conf
- mf
The master file (mf) format is also available from the itar web site.
- dns
The dns format performs live queries of records attached to a domain name to request either DS or DNSKEY records. By default, DNSKEY records will be queried. The specific type to be queried can be specified by preceeding the zone name with a "ds/" or "dnskey/" prefix. Example valid 'dns:' type specifications:
dns:dnssec-tools.org dns:ds/dnssec-tools.org dns:dnskey/dnssec-tools.org
Also, if you want to read dnskeys from the network but convert them to ds records, you can use the /tods flag:
dns/tods=1:dnssec-tools.org
The DNS type can not output records and is only useful for reading in information.
WARNING: The keys and data being retrieved are not internally validated and thus should not be trusted unless a secured resolver is being used.
Options
- -i STRING
- --input-file=STRING
Input file(s) to process.
convertar will read in the specified file(s). Multiple files can be separated by commas.
- -o STRING
- --output-file=STRING
Output file(s) to write.
convertar will write out these specified file(s) in the requested output formats. Multiple files can be separated by commas.
- -h
- --help
- --help-full
Displays command line help information.
- --gui
- --no-gui
Controls the use of the optional GUI.
Copyright
Copyright 2009-2013 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.
Author
Wes Hardaker < hardaker AT users DOT sourceforge DOT net >
See Also
Net::DNS::SEC::Tools::TrustAnchor(3)