Add README and VERSION; try again to shut up log4j; slightly nicer usage

This commit is contained in:
davidb 2010-06-10 16:03:08 -04:00
parent 7a15f36b17
commit f875a3d4bf
4 changed files with 125 additions and 10 deletions

103
README Normal file
View File

@ -0,0 +1,103 @@
DNSSECReconciler
----------------
This is a command line Java tool for doing DNSSEC response
validatation against a single authoritative DNS server.
usage: java -jar dnssecreconiler.jar [..options..]
server: the DNS server to query.
query: a name [type [flags]] string.
query_file: a list of queries, one query per line.
count: send up to'count' queries, then stop.
dnskey_file: a file containing DNSKEY RRs to trust.
dnskey_query: query 'server' for DNSKEY at given name to trust,
may repeat
error_file: write DNSSEC validation failure details to this file
The DNSSECReconciler needs a server to query ('server'), a query or
list of queries ('query' or 'query_file'), and a set of DNSKEYs to
trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
used to sign everything in the responses.
By default it logs everything to stdout. DNSSEC validation errors
(which is most of the output) can be redirected to a file (which will
be appended to if it already exists).
Note that the DNSSECReconciler will skip queries if the qname isn't a
subdomain (or matches) the names of the DNSKEYs that have been added.
query_file
----------
This is a file of one query per line, with a query formatted as:
qname [qtype] [qclass] [flags]
For example:
pietbarber.com ns +ad
blacka.com a IN +do
verisign.com
The DO bit is redundant since all queries will be made with the DO bit
set.
Note: at the moment, flags are ignored.
dnskey_file
-----------
The is a list of DNSKEYs in zone file format. It will ignore zone
file comments and non-DNSKEY records, so you can just use dig output:
dig @0 edu dnskey +dnssec > keys
dig @0 net dnskey +dnssec >> keys
dnskey_query
------------
For each one of these, do a DNSKEY query to the server for that name,
and add the resultant keys to the set of trusted keys.
Generating Queries
------------------
The query files are basically the same as those used by the
dnsreconciler tool, so similar techniques can be used to query names
out of ISFs, etc. Here is a little perl code that will generate
queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
only:
#! /usr/bin/perl
while (<>) {
# parse domain table lines
/^i A / && do {
@fields = split();
$dn = $fields[3];
($dom, $tld) = split(/\./, $dn, 2);
next if $tld ne "EDU";
print "$dn. A\n";
print "${dom}_.$tld. A\n";
};
# parse nameserver table lines
/^i B / && do {
@fields = split();
$ns = $fields[3];
print "$ns. A\n";
};
}
Examples
--------
java -jar dnssecreconciler server=a.edu-servers.net \
dnskey_query=edu \
query_file=queries.txt \
error_file=dnssecreconciler_errors.log
java -jar dnssecreconciler.jar server=127.0.0.1 \
dnskey_file=keys \
query="edu soa"

1
VERSION Normal file
View File

@ -0,0 +1 @@
version=1.0.0

View File

@ -45,7 +45,6 @@
<zipfileset src="${lib.dir}/dnsjava-2.0.8-vrsn-2.jar" /> <zipfileset src="${lib.dir}/dnsjava-2.0.8-vrsn-2.jar" />
<zipfileset src="${lib.dir}/log4j-1.2.15.jar" /> <zipfileset src="${lib.dir}/log4j-1.2.15.jar" />
<zipfileset dir="${lib.dir}" prefix="lib" includes="**/*.properties" />
<manifest> <manifest>
<attribute name="Main-Class" <attribute name="Main-Class"
value="com.verisign.cl.DNSSECReconciler" /> value="com.verisign.cl.DNSSECReconciler" />
@ -67,6 +66,17 @@
</javadoc> </javadoc>
</target> </target>
<target name="dist" depends="usage,jar">
<tar destfile="dnssecreconciler-${version}.tar.gz"
compression="gzip">
<tarfileset dir="${build.lib.dest}"
prefix="dnssecreconciler-${version}"
includes="*.jar" />
<tarfileset dir="."
prefix="dnssecreconciler-${version}"
includes="README" />
</tar>
</target>
<target name="clean" depends="usage"> <target name="clean" depends="usage">
<delete dir="${build.dest}" /> <delete dir="${build.dest}" />

View File

@ -4,7 +4,7 @@ import java.io.*;
import java.net.SocketTimeoutException; import java.net.SocketTimeoutException;
import java.util.*; import java.util.*;
import org.apache.log4j.PropertyConfigurator; import org.apache.log4j.BasicConfigurator;
import org.xbill.DNS.*; import org.xbill.DNS.*;
import com.verisign.tat.dnssec.CaptiveValidator; import com.verisign.tat.dnssec.CaptiveValidator;
@ -276,13 +276,14 @@ public class DNSSECReconciler {
System.err.println(" query_file: a list of queries, one query per line."); System.err.println(" query_file: a list of queries, one query per line.");
System.err.println(" count: send up to'count' queries, then stop."); System.err.println(" count: send up to'count' queries, then stop.");
System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust."); System.err.println(" dnskey_file: a file containing DNSKEY RRs to trust.");
System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat"); System.err.println(" dnskey_query: query 'server' for DNSKEY at given name to trust, may repeat.");
System.err.println(" error_file: write DNSSEC validation failure details to this file"); System.err.println(" error_file: write DNSSEC validation failure details to this file.");
} }
public static void main(String[] argv) { public static void main(String[] argv) {
PropertyConfigurator.configure("lib/log4j.properties"); // Set up Log4J to just log to console.
BasicConfigurator.configure();
DNSSECReconciler dr = new DNSSECReconciler(); DNSSECReconciler dr = new DNSSECReconciler();