--- /dev/null
+DNSSECReconciler
+----------------
+
+This is a command line Java tool for doing DNSSEC response
+validatation against a single authoritative DNS server.
+
+usage: java -jar dnssecreconiler.jar [..options..]
+ server: the DNS server to query.
+ query: a name [type [flags]] string.
+ query_file: a list of queries, one query per line.
+ count: send up to'count' queries, then stop.
+ dnskey_file: a file containing DNSKEY RRs to trust.
+ dnskey_query: query 'server' for DNSKEY at given name to trust,
+ may repeat
+ error_file: write DNSSEC validation failure details to this file
+
+The DNSSECReconciler needs a server to query ('server'), a query or
+list of queries ('query' or 'query_file'), and a set of DNSKEYs to
+trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
+used to sign everything in the responses.
+
+By default it logs everything to stdout. DNSSEC validation errors
+(which is most of the output) can be redirected to a file (which will
+be appended to if it already exists).
+
+Note that the DNSSECReconciler will skip queries if the qname isn't a
+subdomain (or matches) the names of the DNSKEYs that have been added.
+
+query_file
+----------
+
+This is a file of one query per line, with a query formatted as:
+
+ qname [qtype] [qclass] [flags]
+
+For example:
+
+ pietbarber.com ns +ad
+ blacka.com a IN +do
+ verisign.com
+
+The DO bit is redundant since all queries will be made with the DO bit
+set.
+
+Note: at the moment, flags are ignored.
+
+dnskey_file
+-----------
+
+The is a list of DNSKEYs in zone file format. It will ignore zone
+file comments and non-DNSKEY records, so you can just use dig output:
+
+ dig @0 edu dnskey +dnssec > keys
+ dig @0 net dnskey +dnssec >> keys
+
+dnskey_query
+------------
+
+For each one of these, do a DNSKEY query to the server for that name,
+and add the resultant keys to the set of trusted keys.
+
+Generating Queries
+------------------
+
+The query files are basically the same as those used by the
+dnsreconciler tool, so similar techniques can be used to query names
+out of ISFs, etc. Here is a little perl code that will generate
+queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
+only:
+
+#! /usr/bin/perl
+
+while (<>) {
+ # parse domain table lines
+ /^i A / && do {
+ @fields = split();
+ $dn = $fields[3];
+ ($dom, $tld) = split(/\./, $dn, 2);
+ next if $tld ne "EDU";
+ print "$dn. A\n";
+ print "${dom}_.$tld. A\n";
+ };
+ # parse nameserver table lines
+ /^i B / && do {
+ @fields = split();
+ $ns = $fields[3];
+ print "$ns. A\n";
+ };
+}
+
+Examples
+--------
+
+java -jar dnssecreconciler server=a.edu-servers.net \
+ dnskey_query=edu \
+ query_file=queries.txt \
+ error_file=dnssecreconciler_errors.log
+
+java -jar dnssecreconciler.jar server=127.0.0.1 \
+ dnskey_file=keys \
+ query="edu soa"
+
+
<zipfileset src="${lib.dir}/dnsjava-2.0.8-vrsn-2.jar" />
<zipfileset src="${lib.dir}/log4j-1.2.15.jar" />
- <zipfileset dir="${lib.dir}" prefix="lib" includes="**/*.properties" />
<manifest>
<attribute name="Main-Class"
value="com.verisign.cl.DNSSECReconciler" />
</javadoc>
</target>
+ <target name="dist" depends="usage,jar">
+ <tar destfile="dnssecreconciler-${version}.tar.gz"
+ compression="gzip">
+ <tarfileset dir="${build.lib.dest}"
+ prefix="dnssecreconciler-${version}"
+ includes="*.jar" />
+ <tarfileset dir="."
+ prefix="dnssecreconciler-${version}"
+ includes="README" />
+ </tar>
+ </target>
<target name="clean" depends="usage">
<delete dir="${build.dest}" />
import java.net.SocketTimeoutException;
import java.util.*;
-import org.apache.log4j.PropertyConfigurator;
+import org.apache.log4j.BasicConfigurator;
import org.xbill.DNS.*;
import com.verisign.tat.dnssec.CaptiveValidator;
private static void usage() {
System.err.println("usage: java -jar dnssecreconiler.jar [..options..]");
- System.err.println(" server: the DNS server to query.");
- System.err.println(" query: a name [type [flags]] string.");
- System.err.println(" query_file: a list of queries, one query per line.");
- System.err.println(" count: send up to'count' queries, then stop.");
- System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
- System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat");
- System.err.println(" error_file: write DNSSEC validation failure details to this file");
+ System.err.println(" server: the DNS server to query.");
+ System.err.println(" query: a name [type [flags]] string.");
+ System.err.println(" query_file: a list of queries, one query per line.");
+ System.err.println(" count: send up to'count' queries, then stop.");
+ System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
+ System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat.");
+ System.err.println(" error_file: write DNSSEC validation failure details to this file.");
}
public static void main(String[] argv) {
- PropertyConfigurator.configure("lib/log4j.properties");
+ // Set up Log4J to just log to console.
+ BasicConfigurator.configure();
DNSSECReconciler dr = new DNSSECReconciler();
git://blacka.com / captive-validator.git / commitdiff