Go to file
2010-06-10 16:03:08 -04:00
.settings add error_file, count options; configure log4j so it stops whining; eclipse formatting madness 2010-06-10 14:54:39 -04:00
lib add error_file, count options; configure log4j so it stops whining; eclipse formatting madness 2010-06-10 14:54:39 -04:00
src/com/verisign Add README and VERSION; try again to shut up log4j; slightly nicer usage 2010-06-10 16:03:08 -04:00
.gitignore work in progress -- doesn't all compile yet, but it is starting to take shape 2009-04-19 13:56:34 -04:00
build.xml Add README and VERSION; try again to shut up log4j; slightly nicer usage 2010-06-10 16:03:08 -04:00
README Add README and VERSION; try again to shut up log4j; slightly nicer usage 2010-06-10 16:03:08 -04:00
TODO add some expanded TODO notes 2009-04-19 21:05:56 -04:00
VERSION Add README and VERSION; try again to shut up log4j; slightly nicer usage 2010-06-10 16:03:08 -04:00

DNSSECReconciler
----------------

This is a command line Java tool for doing DNSSEC response
validatation against a single authoritative DNS server.

usage: java -jar dnssecreconiler.jar [..options..]
       server:       the DNS server to query.
       query:        a name [type [flags]] string.
       query_file:   a list of queries, one query per line.
       count:        send up to'count' queries, then stop.
       dnskey_file:  a file containing DNSKEY RRs to trust.
       dnskey_query: query 'server' for DNSKEY at given name to trust,
                     may repeat
       error_file:   write DNSSEC validation failure details to this file

The DNSSECReconciler needs a server to query ('server'), a query or
list of queries ('query' or 'query_file'), and a set of DNSKEYs to
trust ('dnskey_file' or 'dnskey_query') -- these keys MUST be the ones
used to sign everything in the responses.

By default it logs everything to stdout.  DNSSEC validation errors
(which is most of the output) can be redirected to a file (which will
be appended to if it already exists).

Note that the DNSSECReconciler will skip queries if the qname isn't a
subdomain (or matches) the names of the DNSKEYs that have been added.

query_file
----------

This is a file of one query per line, with a query formatted as:

  qname [qtype] [qclass] [flags]

For example:

  pietbarber.com ns +ad
  blacka.com a IN +do
  verisign.com

The DO bit is redundant since all queries will be made with the DO bit
set.

Note: at the moment, flags are ignored.

dnskey_file
-----------

The is a list of DNSKEYs in zone file format.  It will ignore zone
file comments and non-DNSKEY records, so you can just use dig output:

   dig @0 edu dnskey +dnssec > keys
   dig @0 net dnskey +dnssec >> keys

dnskey_query
------------

For each one of these, do a DNSKEY query to the server for that name,
and add the resultant keys to the set of trusted keys.

Generating Queries
------------------

The query files are basically the same as those used by the
dnsreconciler tool, so similar techniques can be used to query names
out of ISFs, etc.  Here is a little perl code that will generate
queries for domain.tld, domain_.tld, and nameserver.tld for "EDU"
only:

#! /usr/bin/perl

while (<>) {
    # parse domain table lines
    /^i A / && do {
	@fields = split();
	$dn = $fields[3];
	($dom, $tld) = split(/\./, $dn, 2);
	next if $tld ne "EDU";
	print "$dn. A\n";
	print "${dom}_.$tld. A\n";
    };
    # parse nameserver table lines
    /^i B / && do {
	@fields = split();
	$ns = $fields[3];
	print "$ns. A\n";
    };
}

Examples
--------

java -jar dnssecreconciler server=a.edu-servers.net \
     dnskey_query=edu \
     query_file=queries.txt \
     error_file=dnssecreconciler_errors.log 

java -jar dnssecreconciler.jar server=127.0.0.1 \
     dnskey_file=keys \
     query="edu soa"