Main Page

From DNSSEC-Tools Wiki

Contents 1 Project Information 2 What is DNSSEC 3 Why use DNSSEC 4 Who Wants To Use DNSSEC-Tools 5 How to Use DNSSEC-Tools / ShortTorials 5.1 Authoritative Zone: ShortTorial 5.2 Authoritative Server: ShortTorial 5.3 Recursive Server: ShortTorial 5.4 Using DNSSEC aware applications: ShortTorial 5.5 Develop DNSSEC aware applications: ShortTorial 5.6 Learn about DNSSEC firsthand: ShortTorial 6 DNSSEC-Tools Components 6.1 Zone Administration Tools 6.2 Authoritative Domain Name Server Tools 6.3 Recursive Domain Name Server Tools 6.4 Application/Script Writers 6.5 End Users (DNSSEC Native Applications) 6.6 DNS Error Checking Tools 7 Project Administration Pages 7.1 Misc Discussion Items 7.2 TODO 7.3 Developer Information 8 DNSSEC Resources / Links 9 Help with Wiki Systems

Project Information

• The DNSSEC-Tools Home Page
  • SVN Source code repository information

What is DNSSEC

The short answer: DNSSEC is a protocol extension to the internet's Domain Name System (DNS) that provides assurance that the information received from a Domain Name Server is authentic. E.g., when a URL is typed into a browser, a user can be assured the IP address the machine connects with is correct.

For the long answer look at

• http://www.dnssec.net/
• http://www.dnssec-deployment.org/

They answer the question as well or better than it will be answered here.

Why use DNSSEC

Insert scary story here, but basically DNSSEC should be used so a user can be sure the host which they want to connect to, is the host with which their machine actually connects. If you are reading blogs or watching the latest funny myspace video, you probably don't care. If you're buying something online, sending private emails, going to your bank's website to pay bills, or doing online stock trades, it's a lot more important (and while this kind of attack is not known to be happening on a large scale yet, it has happened).

Who Wants To Use DNSSEC-Tools

Anyone who wants to:

• administer a zone with DNSSEC data,
• administer a DNSSEC supporting Domain Name Server
  • Authoritative Server
  • Recursive Server
• use DNSSEC aware applications on their local machine
• develop DNSSEC aware applications
• just to plain play around with DNSSEC to see what it's all about (this may be akin to some sickness, but on the bright side, you know who you are)

How to Use DNSSEC-Tools / ShortTorials

In large part, how to use DNSSEC-Tools depends on who you are, and how you want to use DNSSEC. The following are descriptions of the expected types of uses/users of DNSSEC-Tools and links to wiki pages with short tutorials on which DNSSEC-Tools to use for that purpose and how to get up and running with those tools.

If you want to try the commands yourself, be sure to get and install DNSSEC-Tools first.

Authoritative Zone: ShortTorial

Administrators of authoritative zones will want want to setup and maintain DNSSEC supporting authoritative zones. These administrators are responsible for one or more DNS zones and want at least some of the zones to be signed with DNSSEC validated data available for the signed zones. Most administrators who are responsible for an authoritative zone are also authoritative server administrators, but not always. DNSSEC-Tools provides tools for easily signing a zone and verifying that the resulting data is valid.

Authoritative Server: ShortTorial

Administrators of authoritative servers will want to setup and maintain a DNSSEC supporting authoritative DNS server. They are responsible for one or more servers that serve out zones with signed DNSSEC validated data. With the possible exception of end applications, this where the majority of DNSSEC zone maintenance is done an where the majority of DNSSEC-Tools can help. DNSSEC-Tools provides tools for easily signing a zone, ensuring that a zone is always signed, rolling signing keys on a regular basis and verifying that the resulting data is valid.

Recursive Server: ShortTorial

Recursive server administrators will want to setup and maintain a DNSSEC aware validating recursive server. Validating servers are Domain Name Servers that perform DNS look-ups and verify the integrity of the data using DNSSEC data published with the zone records. Validating recursive servers may operate on a small or large scale. A recursive server could be run for the use of a single machine, a small network, a large enterprise or an ISP. The DNS would be configured with a list of zones that require DNSSEC validation and the trust anchors that are used as cryptographic starting points. DNSSEC-Tools provides tools for managing trust anchors, detecting and tracking trust anchor changes, as well as debugging tools for identifying the source of DNS related problems.

Using DNSSEC aware applications: ShortTorial

End-users at the desktop will want to use DNSSEC aware applications on their machine. They could be someone who wants their application to check DNSSEC validation when web browsing, making connections with ssh, or downloading files with wget. They could also be a person, group, or company that wants to have their mail (MTA) server use DNSSEC validation when sending out mail. DNSSEC-Tools provides a plethora of application patches that have been created as part of the DNSSEC-Tools project that allow various applications to support DNSSEC directly using the libval DNSSEC validating library. Read the ShortTorial for more info.

Develop DNSSEC aware applications: ShortTorial

Application developers will want to add DNSSEC support to their applications. DNSSEC-Tools' libval and libsres provide needed application-level DNSSEC validation and results to application developers.

Learn about DNSSEC firsthand: ShortTorial

Everyone will want to play with DNSSEC to figure out what it is about!

DNSSEC-Tools Components

The following is a list of the DNSSEC-Tools Components. See the link for further details.

[edit] Zone Administration Tools
zonesigner	Manual Example CLI Help	Will generate keys and sign zones with one command.
donuts	Manual Example CLI Help	Error check the contents of your zone. You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks.
mapper	Manual Example CLI Help	Graphically display the contents of your zone

[edit] Authoritative Domain Name Server Tools
zonesigner	Manual Example CLI Help	Will generate keys and sign zones with one command.
rollerd	Manual Example CLI Help	Automatic key rollover. A daemon which automatically (or manually) steps through updating Zone Signing and Key Signing Keys for a set of zones. It can be controlled while running with rollctl.
rollctl	Manual Example CLI Help	Send commands to daemon rollerd without restarting rollerd.
donuts	Manual Example CLI Help	Error check the contents of your zone. You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks.
donutsd	Manual Example CLI Help	Daemon that regularly checks the contents of a set of zonees.
mapper	Manual Example CLI Help	Graphically display the contents of your zone
dnspktflow	Manual Example CLI Help	Visually trace DNS packets being sent on the network.
logwatch	Example	Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.

[edit] Recursive Domain Name Server Tools
trustman	Manual CLI Help	Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
dnspktflow	Manual Example CLI Help	Visually trace DNS packets being sent on the network.
logwatch	Example	Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.

[edit] Application/Script Writers
libval libsres	Manual Manual	C libraries that implement DNSSEC aware DNS resolution APIs.
libval_shim	Manual	Preload shim library - maps DNS calls in legacy apps to equivalent DNSSEC functions.
DNS Error Checking Tools
Perl Modules:
Net::DNS::ZoneFile::Fast	Manual	Quickly read and parse a zone file into Net::DNS object records.
Net::DNS::SEC::Validator	Manual	Perl bindings to the libval and libsres libraries.
Net::addrinfo	Manual	interface to POSIX getaddrinfo and related constants, structures and functions

[edit] End Users (DNSSEC Native Applications)
Firefox	README	Patch to add DNSSEC support to Firefox
Sendmail	HowTo	Patch to add DNSSEC support to Sendmail
Postfix	2.3.x HowTo 2.2.x HowTo Example	Patch to add DNSSEC support to Postfix
LibSPF	HowTo	Patch to add DNSSEC support to Libspf2
Thunderbird	README	Patch to add DNSSEC support to Thunderbird
ssh	README	Patch to add DNSSEC support to ssh
lftp	HowTo	Patch to add DNSSEC support to lftp
wget	HowTo	Patch to add DNSSEC support to wget
ncftp	HowTo	Patch to add DNSSEC support to ncftp
proftpd	HowTo	Patch to add DNSSEC support to proftpd
jabberd		Patch to add DNSSEC support to jabberd

[edit] DNS Error Checking Tools
dnspktflow	Manual Example CLI Help	Visually trace DNS packets being sent on the network.
validate	Manual CLI Help	command line DNS validation checking (similar to dig). This is part of the libval and libsres package.
mapper	Manual Example CLI Help	Graphically display the contents of your zone
trustman	Manual CLI Help	Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
donuts	Manual Example CLI Help	Error check the contents of your zone. You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks.
logwatch	Example	Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.

Project Administration Pages

Misc Discussion Items

• Validator discussion items
• Current resolver requirements
• Root key distribution mechanisms

TODO

• Validator TODO
• Applications being worked on to support DNSSEC

Developer Information

• Release Instructions

DNSSEC Resources / Links

• http://www.dnssec.net/
• http://www.dnssec-deployment.org/
• IETF Working Groups
  • DNSEXT
  • DNSOP
• External links

Help with Wiki Systems

• Configuration settings list
• MediaWiki FAQ
• MediaWiki release mailing list