Add README and VERSION; try again to shut up log4j; slightly nicer usage

README

@@ -0,0 +1,103 @@
+DNSSECReconciler
+----------------
+
+This is a command line Java tool for doing DNSSEC response
+validatation against a single authoritative DNS server.
+
+usage: java -jar dnssecreconiler.jar [..options..]
+       server:       the DNS server to query.
+       query:        a name [type [flags]] string.
+       query_file:   a list of queries, one query per line.
+       count:        send up to'count' queries, then stop.
+       dnskey_file:  a file containing DNSKEY RRs to trust.
+       dnskey_query: query 'server' for DNSKEY at given name to trust,
+                     may repeat
+       error_file:   write DNSSEC validation failure details to this file
+
+The DNSSECReconciler needs a server to query ('server'), a query or
+list of queries ('query' or 'query_file'), and a set of DNSKEYs to
+trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
+used to sign everything in the responses.
+
+By default it logs everything to stdout.  DNSSEC validation errors
+(which is most of the output) can be redirected to a file (which will
+be appended to if it already exists).
+
+Note that the DNSSECReconciler will skip queries if the qname isn't a
+subdomain (or matches) the names of the DNSKEYs that have been added.
+
+query_file
+----------
+
+This is a file of one query per line, with a query formatted as:
+
+  qname [qtype] [qclass] [flags]
+
+For example:
+
+  pietbarber.com ns +ad
+  blacka.com a IN +do
+  verisign.com
+
+The DO bit is redundant since all queries will be made with the DO bit
+set.
+
+Note: at the moment, flags are ignored.
+
+dnskey_file
+-----------
+
+The is a list of DNSKEYs in zone file format.  It will ignore zone
+file comments and non-DNSKEY records, so you can just use dig output:
+
+   dig @0 edu dnskey +dnssec > keys
+   dig @0 net dnskey +dnssec >> keys
+
+dnskey_query
+------------
+
+For each one of these, do a DNSKEY query to the server for that name,
+and add the resultant keys to the set of trusted keys.
+
+Generating Queries
+------------------
+
+The query files are basically the same as those used by the
+dnsreconciler tool, so similar techniques can be used to query names
+out of ISFs, etc.  Here is a little perl code that will generate
+queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
+only:
+
+#! /usr/bin/perl
+
+while (<>) {
+    # parse domain table lines
+    /^i A / && do {
+	@fields = split();
+	$dn = $fields[3];
+	($dom, $tld) = split(/\./, $dn, 2);
+	next if $tld ne "EDU";
+	print "$dn. A\n";
+	print "${dom}_.$tld. A\n";
+    };
+    # parse nameserver table lines
+    /^i B / && do {
+	@fields = split();
+	$ns = $fields[3];
+	print "$ns. A\n";
+    };
+}
+
+Examples
+--------
+
+java -jar dnssecreconciler server=a.edu-servers.net \
+     dnskey_query=edu \
+     query_file=queries.txt \
+     error_file=dnssecreconciler_errors.log 
+
+java -jar dnssecreconciler.jar server=127.0.0.1 \
+     dnskey_file=keys \
+     query="edu soa"
+
+     

VERSION

@@ -0,0 +1 @@
+version=1.0.0

build.xml

@@ -45,7 +45,6 @@
 
       <zipfileset src="${lib.dir}/dnsjava-2.0.8-vrsn-2.jar" />
       <zipfileset src="${lib.dir}/log4j-1.2.15.jar" />
-      <zipfileset dir="${lib.dir}" prefix="lib" includes="**/*.properties" />
       <manifest>
         <attribute name="Main-Class"
                    value="com.verisign.cl.DNSSECReconciler" />
@@ -67,6 +66,17 @@
     </javadoc>
   </target>
 
+  <target name="dist" depends="usage,jar">
+    <tar destfile="dnssecreconciler-${version}.tar.gz"
+         compression="gzip">
+      <tarfileset dir="${build.lib.dest}"
+               prefix="dnssecreconciler-${version}"
+               includes="*.jar" />
+      <tarfileset dir="." 
+               prefix="dnssecreconciler-${version}"
+               includes="README" />
+    </tar>
+  </target>
 
   <target name="clean" depends="usage">
     <delete dir="${build.dest}" />

src/com/verisign/cl/DNSSECReconciler.java

@@ -4,7 +4,7 @@ import java.io.*;
 import java.net.SocketTimeoutException;
 import java.util.*;
 
-import org.apache.log4j.PropertyConfigurator;
+import org.apache.log4j.BasicConfigurator;
 import org.xbill.DNS.*;
 
 import com.verisign.tat.dnssec.CaptiveValidator;
@@ -271,18 +271,19 @@ public class DNSSECReconciler {
 
     private static void usage() {
         System.err.println("usage: java -jar dnssecreconiler.jar [..options..]");
-        System.err.println("       server: the DNS server to query.");
-        System.err.println("       query: a name [type [flags]] string.");
-        System.err.println("       query_file: a list of queries, one query per line.");
-        System.err.println("       count: send up to'count' queries, then stop.");
-        System.err.println("       dnskey_file: a file containing DNSKEY RRs to trust.");
-        System.err.println("       dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat");
-        System.err.println("       error_file: write DNSSEC validation failure details to this file");
+        System.err.println("       server:       the DNS server to query.");
+        System.err.println("       query:        a name [type [flags]] string.");
+        System.err.println("       query_file:   a list of queries, one query per line.");
+        System.err.println("       count:        send up to'count' queries, then stop.");
+        System.err.println("       dnskey_file:  a file containing DNSKEY RRs to trust.");
+        System.err.println("       dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat.");
+        System.err.println("       error_file:   write DNSSEC validation failure details to this file.");
     }
 
     public static void main(String[] argv) {
 
-        PropertyConfigurator.configure("lib/log4j.properties");
+        // Set up Log4J to just log to console.
+        BasicConfigurator.configure();
 
         DNSSECReconciler dr = new DNSSECReconciler();