Add README and VERSION; try again to shut up log4j; slightly nicer usage

2010-06-10 16:03:08 -04:00
parent 7a15f36b17
commit f875a3d4bf
4 changed files with 125 additions and 10 deletions
--- a/103
+++ b/103
@@ -0,0 +1,103 @@
+DNSSECReconciler
+----------------
+
+This is a command line Java tool for doing DNSSEC response
+validatation against a single authoritative DNS server.
+
+usage: java -jar dnssecreconiler.jar [..options..]
+       server:       the DNS server to query.
+       query:        a name [type [flags]] string.
+       query_file:   a list of queries, one query per line.
+       count:        send up to'count' queries, then stop.
+       dnskey_file:  a file containing DNSKEY RRs to trust.
+       dnskey_query: query 'server' for DNSKEY at given name to trust,
+                     may repeat
+       error_file:   write DNSSEC validation failure details to this file
+
+The DNSSECReconciler needs a server to query ('server'), a query or
+list of queries ('query' or 'query_file'), and a set of DNSKEYs to
+trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
+used to sign everything in the responses.
+
+By default it logs everything to stdout.  DNSSEC validation errors
+(which is most of the output) can be redirected to a file (which will
+be appended to if it already exists).
+
+Note that the DNSSECReconciler will skip queries if the qname isn't a
+subdomain (or matches) the names of the DNSKEYs that have been added.
+
+query_file
+----------
+
+This is a file of one query per line, with a query formatted as:
+
+  qname [qtype] [qclass] [flags]
+
+For example:
+
+  pietbarber.com ns +ad
+  blacka.com a IN +do
+  verisign.com
+
+The DO bit is redundant since all queries will be made with the DO bit
+set.
+
+Note: at the moment, flags are ignored.
+
+dnskey_file
+-----------
+
+The is a list of DNSKEYs in zone file format.  It will ignore zone
+file comments and non-DNSKEY records, so you can just use dig output:
+
+   dig @0 edu dnskey +dnssec > keys
+   dig @0 net dnskey +dnssec >> keys
+
+dnskey_query
+------------
+
+For each one of these, do a DNSKEY query to the server for that name,
+and add the resultant keys to the set of trusted keys.
+
+Generating Queries
+------------------
+
+The query files are basically the same as those used by the
+dnsreconciler tool, so similar techniques can be used to query names
+out of ISFs, etc.  Here is a little perl code that will generate
+queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
+only:
+
+#! /usr/bin/perl
+
+while (<>) {
+    # parse domain table lines
+    /^i A / && do {
+	@fields = split();
+	$dn = $fields[3];
+	($dom, $tld) = split(/\./, $dn, 2);
+	next if $tld ne "EDU";
+	print "$dn. A\n";
+	print "${dom}_.$tld. A\n";
+    };
+    # parse nameserver table lines
+    /^i B / && do {
+	@fields = split();
+	$ns = $fields[3];
+	print "$ns. A\n";
+    };
+}
+
+Examples
+--------
+
+java -jar dnssecreconciler server=a.edu-servers.net \
+     dnskey_query=edu \
+     query_file=queries.txt \
+     error_file=dnssecreconciler_errors.log 
+
+java -jar dnssecreconciler.jar server=127.0.0.1 \
+     dnskey_file=keys \
+     query="edu soa"
+
+