diff --git a/README b/README
new file mode 100644
index 0000000..96800c9
--- /dev/null
+++ b/README
@@ -0,0 +1,103 @@
+DNSSECReconciler
+----------------
+
+This is a command line Java tool for doing DNSSEC response
+validatation against a single authoritative DNS server.
+
+usage: java -jar dnssecreconiler.jar [..options..]
+ server: the DNS server to query.
+ query: a name [type [flags]] string.
+ query_file: a list of queries, one query per line.
+ count: send up to'count' queries, then stop.
+ dnskey_file: a file containing DNSKEY RRs to trust.
+ dnskey_query: query 'server' for DNSKEY at given name to trust,
+ may repeat
+ error_file: write DNSSEC validation failure details to this file
+
+The DNSSECReconciler needs a server to query ('server'), a query or
+list of queries ('query' or 'query_file'), and a set of DNSKEYs to
+trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
+used to sign everything in the responses.
+
+By default it logs everything to stdout. DNSSEC validation errors
+(which is most of the output) can be redirected to a file (which will
+be appended to if it already exists).
+
+Note that the DNSSECReconciler will skip queries if the qname isn't a
+subdomain (or matches) the names of the DNSKEYs that have been added.
+
+query_file
+----------
+
+This is a file of one query per line, with a query formatted as:
+
+ qname [qtype] [qclass] [flags]
+
+For example:
+
+ pietbarber.com ns +ad
+ blacka.com a IN +do
+ verisign.com
+
+The DO bit is redundant since all queries will be made with the DO bit
+set.
+
+Note: at the moment, flags are ignored.
+
+dnskey_file
+-----------
+
+The is a list of DNSKEYs in zone file format. It will ignore zone
+file comments and non-DNSKEY records, so you can just use dig output:
+
+ dig @0 edu dnskey +dnssec > keys
+ dig @0 net dnskey +dnssec >> keys
+
+dnskey_query
+------------
+
+For each one of these, do a DNSKEY query to the server for that name,
+and add the resultant keys to the set of trusted keys.
+
+Generating Queries
+------------------
+
+The query files are basically the same as those used by the
+dnsreconciler tool, so similar techniques can be used to query names
+out of ISFs, etc. Here is a little perl code that will generate
+queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
+only:
+
+#! /usr/bin/perl
+
+while (<>) {
+ # parse domain table lines
+ /^i A / && do {
+ @fields = split();
+ $dn = $fields[3];
+ ($dom, $tld) = split(/\./, $dn, 2);
+ next if $tld ne "EDU";
+ print "$dn. A\n";
+ print "${dom}_.$tld. A\n";
+ };
+ # parse nameserver table lines
+ /^i B / && do {
+ @fields = split();
+ $ns = $fields[3];
+ print "$ns. A\n";
+ };
+}
+
+Examples
+--------
+
+java -jar dnssecreconciler server=a.edu-servers.net \
+ dnskey_query=edu \
+ query_file=queries.txt \
+ error_file=dnssecreconciler_errors.log
+
+java -jar dnssecreconciler.jar server=127.0.0.1 \
+ dnskey_file=keys \
+ query="edu soa"
+
+
diff --git a/VERSION b/VERSION
new file mode 100644
index 0000000..aef125e
--- /dev/null
+++ b/VERSION
@@ -0,0 +1 @@
+version=1.0.0
diff --git a/build.xml b/build.xml
index 9723e53..a592635 100644
--- a/build.xml
+++ b/build.xml
@@ -45,7 +45,6 @@
-
@@ -67,6 +66,17 @@
+
+
+
+
+
+
diff --git a/src/com/verisign/cl/DNSSECReconciler.java b/src/com/verisign/cl/DNSSECReconciler.java
index 64a3f05..5405a34 100644
--- a/src/com/verisign/cl/DNSSECReconciler.java
+++ b/src/com/verisign/cl/DNSSECReconciler.java
@@ -4,7 +4,7 @@ import java.io.*;
import java.net.SocketTimeoutException;
import java.util.*;
-import org.apache.log4j.PropertyConfigurator;
+import org.apache.log4j.BasicConfigurator;
import org.xbill.DNS.*;
import com.verisign.tat.dnssec.CaptiveValidator;
@@ -271,18 +271,19 @@ public class DNSSECReconciler {
private static void usage() {
System.err.println("usage: java -jar dnssecreconiler.jar [..options..]");
- System.err.println(" server: the DNS server to query.");
- System.err.println(" query: a name [type [flags]] string.");
- System.err.println(" query_file: a list of queries, one query per line.");
- System.err.println(" count: send up to'count' queries, then stop.");
- System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
- System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat");
- System.err.println(" error_file: write DNSSEC validation failure details to this file");
+ System.err.println(" server: the DNS server to query.");
+ System.err.println(" query: a name [type [flags]] string.");
+ System.err.println(" query_file: a list of queries, one query per line.");
+ System.err.println(" count: send up to'count' queries, then stop.");
+ System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
+ System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat.");
+ System.err.println(" error_file: write DNSSEC validation failure details to this file.");
}
public static void main(String[] argv) {
- PropertyConfigurator.configure("lib/log4j.properties");
+ // Set up Log4J to just log to console.
+ BasicConfigurator.configure();
DNSSECReconciler dr = new DNSSECReconciler();