#! /bin/bash
# @(#)(CAcert) $Id: mk-tlsa-recs,v 1.2 2019/04/02 15:37:17 root Exp $
# mk-tlsa-recs - generate TLSA records for domains found in the certs subdirectory

LDNS_DANE=/usr/bin/ldns-dane

PORT=443	# HTTPS

USAGE=3		# 0: CA constraint
		# 1: Service certificate constraint
		# 2: Trust anchor assertion
		# 3: Domain-issued certificate
ALT_USAGE=2

SELECTOR=1	# 0: Full certificate
		# 1: SubjectPublicKeyInfo

TYPE=1		# 0: No hash used
		# 1: SHA-256
		# 2: SHA-512

for crt in certs/*.crt
do
	test -L ${crt} || continue
	DOMAIN=`basename ${crt} .crt`
	for usage in ${USAGE} ${ALT_USAGE}
	do
		${LDNS_DANE} -c ${crt} create \
			${DOMAIN} ${PORT} ${usage} ${SELECTOR} ${TYPE}
	done
done