-DNSSECReconciler
-----------------
+DNSSECValTool
+-------------
This is a command line Java tool for doing DNSSEC response
validatation against a single authoritative DNS server.
-usage: java -jar dnssecreconiler.jar [..options..]
+usage: java -jar dnssecvaltool.jar [..options..]
server: the DNS server to query.
query: a name [type [flags]] string.
query_file: a list of queries, one query per line.
may repeat
error_file: write DNSSEC validation failure details to this file
-The DNSSECReconciler needs a server to query ('server'), a query or
-list of queries ('query' or 'query_file'), and a set of DNSKEYs to
-trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
-used to sign everything in the responses.
+The DNSSECValTool needs a server to query ('server'), a query or list
+of queries ('query' or 'query_file'), and a set of DNSKEYs to trust
+('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones used
+to sign everything in the responses.
By default it logs everything to stdout. DNSSEC validation errors
(which is most of the output) can be redirected to a file (which will
be appended to if it already exists).
-Note that the DNSSECReconciler will skip queries if the qname isn't a
+Note that the DNSSECValTool will skip queries if the qname isn't a
subdomain (or matches) the names of the DNSKEYs that have been added.
query_file
while (<>) {
# parse domain table lines
/^i A / && do {
- @fields = split();
- $dn = $fields[3];
- ($dom, $tld) = split(/\./, $dn, 2);
- next if $tld ne "EDU";
- print "$dn. A\n";
- print "${dom}_.$tld. A\n";
+ @fields = split();
+ $dn = $fields[3];
+ ($dom, $tld) = split(/\./, $dn, 2);
+ next if $tld ne "EDU";
+ print "$dn. A\n";
+ print "${dom}_.$tld. A\n";
};
# parse nameserver table lines
/^i B / && do {
- @fields = split();
- $ns = $fields[3];
- print "$ns. A\n";
+ @fields = split();
+ $ns = $fields[3];
+ print "$ns. A\n";
};
}
Examples
--------
-java -jar dnssecreconciler server=a.edu-servers.net \
+1. Query "a.edu-servers.net", fetching the .edu keys directly from
+ that server. Use queries.txt for the queries, and log all DNSSEC
+ validation failures to 'dnssecvaltool_errors.log'.
+
+java -jar dnssecvaltool.jar server=a.edu-servers.net \
dnskey_query=edu \
query_file=queries.txt \
- error_file=dnssecreconciler_errors.log
+ error_file=dnssecvaltool_errors.log
+
+2. Query localhost with a single query for edu/soa, using stored keys
+ in the file 'keys'. Validation failures will be logged to stdout.
-java -jar dnssecreconciler.jar server=127.0.0.1 \
+java -jar dnssecvaltool.jar server=127.0.0.1 \
dnskey_file=keys \
query="edu soa"
-
+3. Query "a.gov-servers.net", fetching the .gov keys directly from
+ that server, then query for nasa.gov/A.
+
+java -jar dnssecvaltool.jar server=a.gov-servers.net \
+ dnskey_query=gov \
+ query="nasa.gov a"
git://blacka.com / captive-validator.git / blobdiff