From f875a3d4bfdf4e86655ed0ab3f5adbe0c9ad070f Mon Sep 17 00:00:00 2001 From: davidb Date: Thu, 10 Jun 2010 16:03:08 -0400 Subject: [PATCH] Add README and VERSION; try again to shut up log4j; slightly nicer usage --- README | 103 ++++++++++++++++++++++ VERSION | 1 + build.xml | 12 ++- src/com/verisign/cl/DNSSECReconciler.java | 19 ++-- 4 files changed, 125 insertions(+), 10 deletions(-) create mode 100644 README create mode 100644 VERSION diff --git a/README b/README new file mode 100644 index 0000000..96800c9 --- /dev/null +++ b/README @@ -0,0 +1,103 @@ +DNSSECReconciler +---------------- + +This is a command line Java tool for doing DNSSEC response +validatation against a single authoritative DNS server. + +usage: java -jar dnssecreconiler.jar [..options..] + server: the DNS server to query. + query: a name [type [flags]] string. + query_file: a list of queries, one query per line. + count: send up to'count' queries, then stop. + dnskey_file: a file containing DNSKEY RRs to trust. + dnskey_query: query 'server' for DNSKEY at given name to trust, + may repeat + error_file: write DNSSEC validation failure details to this file + +The DNSSECReconciler needs a server to query ('server'), a query or +list of queries ('query' or 'query_file'), and a set of DNSKEYs to +trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones +used to sign everything in the responses. + +By default it logs everything to stdout. DNSSEC validation errors +(which is most of the output) can be redirected to a file (which will +be appended to if it already exists). + +Note that the DNSSECReconciler will skip queries if the qname isn't a +subdomain (or matches) the names of the DNSKEYs that have been added. + +query_file +---------- + +This is a file of one query per line, with a query formatted as: + + qname [qtype] [qclass] [flags] + +For example: + + pietbarber.com ns +ad + blacka.com a IN +do + verisign.com + +The DO bit is redundant since all queries will be made with the DO bit +set. + +Note: at the moment, flags are ignored. + +dnskey_file +----------- + +The is a list of DNSKEYs in zone file format. It will ignore zone +file comments and non-DNSKEY records, so you can just use dig output: + + dig @0 edu dnskey +dnssec > keys + dig @0 net dnskey +dnssec >> keys + +dnskey_query +------------ + +For each one of these, do a DNSKEY query to the server for that name, +and add the resultant keys to the set of trusted keys. + +Generating Queries +------------------ + +The query files are basically the same as those used by the +dnsreconciler tool, so similar techniques can be used to query names +out of ISFs, etc. Here is a little perl code that will generate +queries for domain.tld, domain_.tld, and nameserver.tld for "EDU" +only: + +#! /usr/bin/perl + +while (<>) { + # parse domain table lines + /^i A / && do { + @fields = split(); + $dn = $fields[3]; + ($dom, $tld) = split(/\./, $dn, 2); + next if $tld ne "EDU"; + print "$dn. A\n"; + print "${dom}_.$tld. A\n"; + }; + # parse nameserver table lines + /^i B / && do { + @fields = split(); + $ns = $fields[3]; + print "$ns. A\n"; + }; +} + +Examples +-------- + +java -jar dnssecreconciler server=a.edu-servers.net \ + dnskey_query=edu \ + query_file=queries.txt \ + error_file=dnssecreconciler_errors.log + +java -jar dnssecreconciler.jar server=127.0.0.1 \ + dnskey_file=keys \ + query="edu soa" + + diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..aef125e --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ +version=1.0.0 diff --git a/build.xml b/build.xml index 9723e53..a592635 100644 --- a/build.xml +++ b/build.xml @@ -45,7 +45,6 @@ - @@ -67,6 +66,17 @@ + + + + + + diff --git a/src/com/verisign/cl/DNSSECReconciler.java b/src/com/verisign/cl/DNSSECReconciler.java index 64a3f05..5405a34 100644 --- a/src/com/verisign/cl/DNSSECReconciler.java +++ b/src/com/verisign/cl/DNSSECReconciler.java @@ -4,7 +4,7 @@ import java.io.*; import java.net.SocketTimeoutException; import java.util.*; -import org.apache.log4j.PropertyConfigurator; +import org.apache.log4j.BasicConfigurator; import org.xbill.DNS.*; import com.verisign.tat.dnssec.CaptiveValidator; @@ -271,18 +271,19 @@ public class DNSSECReconciler { private static void usage() { System.err.println("usage: java -jar dnssecreconiler.jar [..options..]"); - System.err.println(" server: the DNS server to query."); - System.err.println(" query: a name [type [flags]] string."); - System.err.println(" query_file: a list of queries, one query per line."); - System.err.println(" count: send up to'count' queries, then stop."); - System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust."); - System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat"); - System.err.println(" error_file: write DNSSEC validation failure details to this file"); + System.err.println(" server: the DNS server to query."); + System.err.println(" query: a name [type [flags]] string."); + System.err.println(" query_file: a list of queries, one query per line."); + System.err.println(" count: send up to'count' queries, then stop."); + System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust."); + System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat."); + System.err.println(" error_file: write DNSSEC validation failure details to this file."); } public static void main(String[] argv) { - PropertyConfigurator.configure("lib/log4j.properties"); + // Set up Log4J to just log to console. + BasicConfigurator.configure(); DNSSECReconciler dr = new DNSSECReconciler(); -- 2.36.6