.\"Generated by db2man.xsl. Don't modify this, modify the source.
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "IPSEC LWDNSQ" 8 "" "" ""
.SH NAME
lwdnsq \- lookup items in DNS to help pluto (and others)
.SH "SYNOPSIS"

.nf
\fBipsec lwdnsq\fR lwdnsq\fR [\fB\-\-prompt\fR] [\fB\-\-serial\fR]
.fi

.nf
\fBipsec lwdnsq\fR lwdnsq\fR [\fB\-\-help\fR]
.fi

.SH "DESCRIPTION"

.PP
The \fBipsec lwdnsq\fR is a helper program that does DNS lookups for other programs. It implements an asynchronous interface on stdin/stdout, with an ASCII driven command language.

.PP
If stdin is a tty or if the \fB\-\-prompt\fR option is given, then it issues a prompt to the user. Otherwise, it is silent, except for results.

.PP
The program will accept multiple queries concurrently, with each result being marked with the ID provided on the output. The IDs are strings.

.PP
If the \fB\-\-serial\fR option is given, then the program will not attempt to execute concurrent queries, but will serialize all input and output.

.SH "QUERY LANGUAGE"

.PP
There are eleven command that the program understands. This is to lookup different types of records in both the forward and reverse maps. Every query includes a queryid, which is returned in the output, on every single line to identify the transaction.

.SS "KEY queryid FQDN"

.PP
This request looks up the KEY resource record for the given \fBFQDN.\fR.

.SS "KEY4 queryid A.B.C.D"

.PP
This request looks up the KEY resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa.

.SS "KEY6 queryid A:B::C:D"

.PP
This request looks up the KEY resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).

.SS "TXT4 queryid A.B.C.D"

.PP
This request looks up the TXT resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa.

.SS "TXT6 queryid A:B::C:D"

.PP
This request looks up the TXT resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).

.SS "KEY queryid FQDN"

.PP
This request looks up the IPSECKEY resource record for the given \fBFQDN.\fR. See note about IPSECKEY processing, below.

.SS "IPSECKEY4 queryid A.B.C.D"

.PP
This request looks up the IPSECKEY resource record found in the reverse map for the IP version 4 address \fBA.B.C.D\fR, i.e. it looks up D.C.B.A.in\-addr.arpa. See special note about IPSECKEY processing, below.

.SS "IPSECKEY6 queryid A:B::C:D"

.PP
This request looks up the IPSECKEY resource record found in the reverse map for the IPv6 address \fBA:B::C:D\fR, i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int). See special note about IPSECKEY processing, below.

.SS "OE4 queryid A.B.C.D"

.PP
This request looks an appropriate record for Opportunistic Encryption for the given IP address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE4 Directives, below), then a query type of ANY will be used to retrieve all relevant records, and all will be returned.

.SS "OE6 queryid A:B::C:D"

.PP
This request looks an appropriate record for Opportunistic Encryption for the given IPv6 address. This attempts to look for the delegation record. This may be one of IPSECKEY, KEY, or TXT record. Unless configured otherwise, (see OE Directives, below), then a query type of ALL will be used to retrieve all relevant records, and all will be returned. i.e. it looks the 32\-nibble long entry in ip6.arpa (and ip6.int).

.SS "A queryid FQDN"

.PP
This request looks up the A (IPv4) resource record for the given \fBFQDN.\fR.

.SS "AAAA queryid FQDN"

.PP
This request looks up the AAAA (IPv6) resource record for the given \fBFQDN.\fR.

.SH "REPLIES TO QUERIES"

.PP
All replies from the queries are in the following format: 

.nf

<ID> <TIME> <TTL> <TYPE> <TYPE\-SPECIFIC> \\n

.fi
  

.TP
\fIID\fR
this is the \fBqueryid\fR value that was provided in the query. It is repeated on every line to permit the replies to be properly associated with the query. When the response is not ascribable to particular query (such as for a mis\-formed query), then the query ID "0" will be used.

.TP
\fITIME\fR
this is the current time in seconds since epoch.

.TP
\fITTL\fR
for answers which have a time to live, this is the current value. The answer is valid for this number of seconds. If there is no useful value here, then the number 0 is used.

.TP
\fITYPE\fR
This is the type of the record that is being returned. The types are described in the next section. The TYPE specific data that follows is specific to the type.
 

.PP
The replies are limited to 4096 bytes, a value defined as \fBLWDNSQ_RESULT_LEN_MAX\fR. This is defined in \fIfreeswan.h\fR.

.PP
All of the replies which include resource records use the standard presentation format (with no line feeds or carriage returns) in their answer.

.SS "START"

.PP
This reply indicates that a query has been received and has been started. It serves as an anchor point for timing, as well as an acknowledgement.

.SS "DONE"

.PP
This reply indicates that a query is entirely over, and no further information from this query will be sent.

.SS "RETRY"

.PP
This reply indicates that a query is entirely over, but that no data was found. The records may exist, but appropriate servers could not be reached.

.SS "FATAL"

.PP
This reply indicates that a query is entirely over, and that no data of the type requested could be found. There were no timeouts, and all servers were available and confirmed non\-existances. There may be NXT records returned prior to this.

.SS "CNAME"

.PP
This is an interim reply, and indicates that a CNAME was found (and followed) while performing the query. The value of the CNAME is present in the type specific section.

.SS "CNAMEFROM"

.PP
This is an interim reply, and indicates that a CNAME was found. The original name that was queries for was not the canonical name, and this reply indicates the name that was actually followed.

.SS "NAME"

.PP
This is an interim reply. The original name that was queries for was not the canonical name. This reply indicates the canonical name.

.SS "DNSSEC"

.PP
This is an interim reply. It is followed either by "OKAY" or "not present. It indicates if DNSSEC was available on the reply.

.SS "TXT and AD-TXT"

.PP
This is an interim reply. If there are TXT resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SS "A and AD-A"

.PP
This is an interim reply. If there are A resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SS "AAAA and AD-AAAA"

.PP
This is an interim reply. If there are AAAA resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SS "PTR and AD-PTR"

.PP
This is an interim reply. If there are PTR resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SS "KEY and AD-KEY"

.PP
This is an interim reply. If there are KEY resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SS "IPSECKEY and AD-IPSECKEY"

.PP
This is an interim reply. If there are IPSEC resource records in the reply, then each one is presented using this type. If preceeded by AD\-, then this record was signed with DNSSEC.

.SH "SPECIAL IPSECKEY PROCESSING"

.PP
At the time of this writing, the IPSECKEY resource record is not entirely specified. In particular no resource record number has been assigned. This program assumes that it is resource record number 45. If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like 

.nf

ipseckey_rr=\fBnumber\fR

.fi
 then this number will be used instead. The file is read only once at startup.

.SH "OE DIRECTIVES"

.PP
If the file /etc/ipsec.d/lwdnsq.conf exists, and contains a line like 

.nf

queryany=false

.fi
 then instead of doing an ALL query when looking for OE delegation records, lwdnsq will do a series of queries. It will first look for IPSECKEY, and then TXT record. If it finds neither, it will then look for KEY records of all kinds, although they do not contain delegation information.

.SH "SPECIAL IPSECKEY PROCESSING"

.nf

/etc/ipsec.d/lwdnsq.conf

.fi

.SH AUTHOR
Michael Richardson <mcr@sandelman.ottawa.on.ca>.