4 This is a command line Java tool for doing DNSSEC response
5 validatation against a single authoritative DNS server.
7 usage: java -jar dnssecreconiler.jar [..options..]
8 server: the DNS server to query.
9 query: a name [type [flags]] string.
10 query_file: a list of queries, one query per line.
11 count: send up to'count' queries, then stop.
12 dnskey_file: a file containing DNSKEY RRs to trust.
13 dnskey_query: query 'server' for DNSKEY at given name to trust,
15 error_file: write DNSSEC validation failure details to this file
17 The DNSSECReconciler needs a server to query ('server'), a query or
18 list of queries ('query' or 'query_file'), and a set of DNSKEYs to
19 trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
20 used to sign everything in the responses.
22 By default it logs everything to stdout. DNSSEC validation errors
23 (which is most of the output) can be redirected to a file (which will
24 be appended to if it already exists).
26 Note that the DNSSECReconciler will skip queries if the qname isn't a
27 subdomain (or matches) the names of the DNSKEYs that have been added.
32 This is a file of one query per line, with a query formatted as:
34 qname [qtype] [qclass] [flags]
42 The DO bit is redundant since all queries will be made with the DO bit
45 Note: at the moment, flags are ignored.
50 The is a list of DNSKEYs in zone file format. It will ignore zone
51 file comments and non-DNSKEY records, so you can just use dig output:
53 dig @0 edu dnskey +dnssec > keys
54 dig @0 net dnskey +dnssec >> keys
59 For each one of these, do a DNSKEY query to the server for that name,
60 and add the resultant keys to the set of trusted keys.
65 The query files are basically the same as those used by the
66 dnsreconciler tool, so similar techniques can be used to query names
67 out of ISFs, etc. Here is a little perl code that will generate
68 queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
74 # parse domain table lines
78 ($dom, $tld) = split(/\./, $dn, 2);
79 next if $tld ne "EDU";
81 print "${dom}_.$tld. A\n";
83 # parse nameserver table lines
94 java -jar dnssecreconciler server=a.edu-servers.net \
96 query_file=queries.txt \
97 error_file=dnssecreconciler_errors.log
99 java -jar dnssecreconciler.jar server=127.0.0.1 \