From DNSSEC-Tools Wiki

This is a brief description of the parts of DNSSEC-Tools package an administrator for a DNSSEC aware authoritative name server could find useful. The server could be a on small scale, a single zone, or a larger scale with multiple zones.

Contents 1 Authoritative DNS Administrator 2 Zonesigner 2.1 Get started with zonesigner 3 Rollerd 3.1 Getting started with rollerd 4 Rollctl 4.1 Getting started with rollctl 5 Donuts: an error/warning checker 5.1 Get started with donuts 6 Donutsd 6.1 Getting started with donutsd 7 Mapper: graphically map your zones 7.1 Get started with mapper 8 Dnspktflow 8.1 Getting started with dnspktflow 9 Logwatch 9.1 Getting started with logwatch 10 General Error Checking Tools 11 Software Summary 11.1 Authoritative Domain Name Server Tools 11.2 DNS Error Checking Tools

Authoritative DNS Administrator

Currently, DNSSEC-Tools has a large number of tools that are useful for managing DNSSEC aware authoritative domain name servers. The first thing to do is get some DNS server software that supports DNSSEC. For information on the available DNS server packages, dnssec-deployment.org and dnssec.net are good places to start looking. Setting up the DNS server itself is out of scope for this discussion. Most DNS server software (and all the major ones) support DNSSEC.

Although the DNSSEC-Tools packages can be useful with any DNSSEC supporting name server, they are most useful with Bind domain name server.

A more detailed description follows, but here is a quick listing of useful DNSSEC-Tools tools:

• Zonesigner is the cornerstone tool. It is used for signing and re-signing zone files. It can also generate the necessary keys for the DNS zone signing process.
• Rollerd automates 'rolling' of Zone Signing and Key Signing Keys (ZSKs and KSKs).
• Rollctl can control rollerd without restarting rollerd.
• Donuts will syntax check signed zone files for DNSSEC as well as general DNS errors.
• Donutsd is the deamonized version of donuts, will check zone files regularly and automatically notify administrator(s).
• Mapper creates graphical descriptions of zone files.
• Dnspktflow creates a graphical description of DNS packets as they flow through a network (using tcpdump).
• And the current version of logwatch has been updated to scan for DNSSEC output from a Bind server.

Zonesigner

Zonesigner is used for signing DNS zone files. This is one of the main tools a Zone Administrator or Authoritative DNS Administrator will find useful when deploying a DNSSEC enabled zone. It can make signing a zone as easy as typing, 'zonesigner example.com'. Zonesigner is capable of performing a large number of zone manipulations. It can sign a zone file, create and update both Zone Signing Keys (ZSKs) and Key Signing Keys (KSKs) while allowing more detailed configuration from the command line or a configuration file.

Zonesigner was designed to make many of the other signing tools easy to use and to "do the right thing by default" wherever possible. It is highly configurable, but most people will likely be happy running it without any of the extra arguments. Currently it uses (and requires) the Bind tool kit to handle most of the tasks it performs.

Get started with zonesigner

To get started with zonesigner follow the following steps given a zone example.com, and its zone file 'zonefile'.

• The first time, add the -genkeys argument to generate new DNSSEC keys.
• For future runs, leave that option off since you will already have keys for your zine. See Rollerd for more details about changing keys on a regular basis.

>  zonesigner -genkeys -zone example.com ./zonefile

      if zonesigner appears hung, strike keys until the program completes
      (see the "Entropy" section in the man page for details)


zone signed successfully

example.com:
                KSK (cur) 08824  -b 2048  02/12/08      (signing-set-3)
                ZSK (cur) 53265  -b 1024  02/12/08      (signing-set-1)
                ZSK (pub) 41622  -b 1024  02/12/08      (signing-set-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
>

The above:

• creates signed zone file zonefile.signed
• it is ready for use, just configure the DNS to load it. Again, the next time the zone needs to be signed (before 4 weeks 2days has elapsed), run the same command but without the -genkeys argument.

A ready to use signed zone file, 'zonefile.signed', is generated. Created along with it are the associated Zone and Key Signing Keys (ZSKs/KSKs), keyset files, dsset file, and a zonesigner configuration file for example.com. Note that these files are generated in the same directory as the zone file that is signed. The location of these files can be adjusted through command line arguments to zonesigner.

(even easier, if your zone file name matches the zone itself, e.g. example.com, simply the command 'zonesigner -genkeys example.com' will generate example.com.signed.)

Zonesigner offers a large number of additional options to affect zone file signing. The key expiration times, file name and locations can all be adjusted from the command line. It will even do the various steps required for key rollovers, although it is much easier to use rollerd to execute the needed key-rolling steps automatically.

Note

To fully use zonesigner and understand zone signing, a good grasp of how DNSSEC works is necessary. A working signed zone file can be created by just using the default values provided by zonesigner. But it is beneficial for a zone administrator to have a general familiarity with DNSSEC. The following links are good places to start to learn about DNSSEC:

RFC 4033, RFC 4034, RFC 4035, www.dnssec.net, ISOC's DNSSSEC Theory

Rollerd

Rollerd automates key rollovers. That is, it automates the steps necessary to change over from one Zone Signing Key (ZSK) to the next using the Pre-Publish Method of key rollover. It can also automate the less frequent Key Signing Key (KSK) change over using the [[Double Signature Method]] of key rollover. See RFC 4641 for a descriptions of these key rollover methods.

Getting started with rollerd

• Given the existing signed zone file, zonefile.signed, with associated keys and a zonesigner key-rec file, example.com.krf.
• Create a rollrec file using rollinit (a companion tool to rollerd)

> rollinit example.com -zone /var/named/zonefile.signed -keyrec /var/named/example.com.krf -admin admin@example.com >! example.com.rollrec >

This should create a file example.com.rollrec:

roll    "example.com"
        zonefile        "/var/named/zonefile.signed"
        keyrec          "/var/named/example.com.krf"
        administrator   "admin@example.com"
        kskphase        "0"
        zskphase        "0"
        ksk_rolldate    " "
        ksk_rollsecs    "0"
        zsk_rolldate    " "
        zsk_rollsecs    "0"
        maxttl          "0"
        display         "1"
        phasestart      "new"

• Given the above rollerd configuration file for zone example.com, /etc/named/example.com.rollrec.
• start rollerd, logging to standard out.

>/usr/local/bin/rollerd -verbose -verbose -verbose -loglevel info -logfile - -rrfile /etc/named/example.com.rrf -sleep 60 -directory /var/named/

Jan 21 23:04:47 2008: rollerd starting ----------------------------------------

Jan 21 23:04:47 2008: rollerd parameters:

Jan 21 23:04:47 2008: rollrec file "/etc/named/example.com.rrf"

Jan 21 23:04:47 2008: logfile "-"

Jan 21 23:04:47 2008: loglevel "info"

Jan 21 23:04:47 2008: sleeptime "60"

Jan 21 23:04:47 2008:

Jan 21 23:04:47 2008: example.com: KSK expiration in 24 weeks, 3 days, 13 hours, 3 minutes, 25 seconds

Jan 21 23:04:47 2008: example.com: ZSK expired 1985 weeks, 4 days, 23 hours, 4 minutes, 47 seconds ago

Jan 21 23:04:47 2008: example.com: current ZSK has expired

Jan 21 23:04:47 2008: example.com: ZSK phase 1

Jan 21 23:05:52 2008: example.com: ZSK phase 1; cache expires in 55 seconds

Jan 21 23:06:57 2008: example.com: ZSK phase 2

Jan 21 23:06:57 2008: example.com: executing "zonesigner -usezskpub example.com db.example.com.signed"

Jan 21 23:06:58 2008: example.com: ZSK phase 3

Jan 21 23:06:58 2008: example.com: ZSK phase 3; cache expires in 2 minutes, 0 seconds

Jan 21 23:08:03 2008: example.com: ZSK phase 3; cache expires in 55 seconds

Jan 21 23:09:08 2008: example.com: ZSK phase 4

Jan 21 23:09:08 2008: example.com: executing "zonesigner -rollzsk example.com db.example.com.signed"

Jan 21 23:09:09 2008: example.com: executing "zonesigner example.com db.example.com.signed"

Jan 21 23:09:09 2008: example.com: ZSK phase 0

Jan 21 23:09:09 2008: example.com: ZSK expiration in 1 week, 0 seconds

Jan 21 23:10:14 2008: example.com: KSK expiration in 24 weeks, 3 days, 12 hours, 57 minutes, 58 seconds

Jan 21 23:10:14 2008: example.com: ZSK expiration in 6 days, 23 hours, 58 minutes, 55 seconds

Jan 21 23:11:19 2008: example.com: KSK expiration in 24 weeks, 3 days, 12 hours, 56 minutes, 53 seconds

Jan 21 23:11:19 2008: example.com: ZSK expiration in 6 days, 23 hours, 57 minutes, 50 seconds

Rollerd has just successfully rolled the ZSK. With the above setup, it took about seven minutes. In general, though, rollerd wouldn't be run like it was above. It is meant to be run in daemon mode as a system service automatically updated the ZSK and KSK's as the configured timing indicates. But rollerd can be controlled while it is running by using rollctl.

Rollctl

Rollctl is a tool that communicates with a running rollerd. Among the command it can pass to rollerd are rolling a zone on command, skipping a zone, changing the sleep time, checking zone status, and more. It can be run as a command line tool or to open a window. The window will show the current zones rollerd is configured to process and a user can select a zone and perform commands on it.

Getting started with rollctl

To get a simple status from the command line:

> rollctl -status
boot-time:          Mon Feb 25 23:51:29 2008
directory:          /var/named/
rollrec file:       /etc/named/example.com.rrf
logfile:            /var/log/rollerd.log
loglevel:           4
sleeptime:          300

>

Or to open the window:

> rollctl -display

A Graphical User Interfaces (GUI) listing the zones rollerd is configured to process, that looks like the below, will appear:

From here a user can select a zone and perform commands on it from the pull-down menus.

Donuts: an error/warning checker

Donuts is used for error checking zone files. It checks for general DNS warnings and errors as well as DNSSEC specific issues.

Get started with donuts

To check the above 'zonefile.signed' file:

> donuts zonefile.signed example.com

dyn.example.com:
  Error:       sub-domain dyn.example.com is not securely
               delegated.  It is missing a DS record.

pictures.example.com:
  Error:       RRSIG on name: pictures.example.com type: CNAME 
               failed to verify: RSA Verification failed

2 errors found in zonefile.signed
>

Donuts will output the number of errors (0+) and list a brief description of the errors found in the signed zone file. It is similar to Bind's named-checkzone except that it checks for some additional operational warnings and errors and is highly extensible so you can write your own rules and check for site-specific policies and requirements.

Donutsd

Donutsd is the daemonized version of donuts. It provides the same functionality, but will run in the background and notify (usually by email) an administrator whenever changes are detected in the zone file. This includes noticing when a zone is about to expire (i.e. when RRSIG records in the signed zone file are about to expire).

Getting started with donutsd

The zones to check can be configured on the command line, e.g.:

> donutsd -v /var/named/example.com.signed example.com admin@istrator.com

running donuts on /var/named/example.com.signed/example.com
  running: donuts   /var/named/example.com.signed example.com > /tmp/donutsd/example.com.new 2>&1
  comparing results from last run
  output changed; mailing admin@istrator.com about /var/named/example.com.signed
  running: tail -1 /tmp/donutsd/example.com.new >> /tmp/donutsd/donuts.summary.new
  /tmp/donutsd/example.com.new => /tmp/donutsd/example.com
  /tmp/donutsd/donuts.summary.new => /tmp/donutsd/donuts.summary
sleeping for 86400

<ctr-c>
> 

An administrator will receive an email similar to the following(the zone file in this example has an RR type that donuts does not recognize).

From: default@example.com
Subject: donuts output for zone: example.com
To: admin@istrator.com
Date: Mon, 25 Feb 2008 16:43:35 -0800 (PST)

The donuts dns zone-file syntax checker was run on the "example.com"
and there were resulting errors or errors that have changed since the last run.
The results of this run of donuts can be found below:

You will not receive another message until the output from donuts has changed.

----------------------------------------------------------------------

/var/named/example.com.signed:44 unrecognized type
WARNING: failed to read /var/named/example.com.signed for an unknown reason
unrecognized type, line 44

For single or several zones, the command line is an okay way to configure donutsd, but zone information can also be configured from a file. The simplest file is a text file that contains the same zone info as the command line but on separate lines:

> cat donutsd-zones.txt
db.zonefile1.com   zone1.com   admin@zone1.com
db.zonefile2.com   zone2.com   admin@zone2.com,admin2@zone2.com
>

and run by:

> donutsd -i /etc/named/donutsd-zones.txt &
> 

For even greater control, an XML formatted file can be used. See the Manual page for more details.

Mapper: graphically map your zones

Mapper displays the zone file graphically. It will create a PNG file of the zone file.

Get started with mapper

To generate a picture of the above zone file:

 > mapper zonefile.signed example.com

The file map.png will hold a picture of the zone file. Mapper has a number of command line arguments that can change how the map is organized. See the full documentation for more details.

Dnspktflow

Dnspktflow is a tool that parses a tcpdump file and graphically displays the DNS, and DNSSEC specific, network traffic. It can be used to check DNSSEC traffic at a server in order to track down or check for errors.

Getting started with dnspktflow

• Given a tcpdump file tcpdump.out with some DNS traffic in it.

>dnspktflow -t -q -a -A -x -l -r 'dnssec-tools' -o dnspktflow.png tcpdump.out
>

• The command line arguments above add extra information to the picture (type, query, answers, authoritative and extra information), while reducing the data to DNS packets involving hosts with 'dnssec-tools' in their names.

Logwatch

Logwatch is not a DNSSEC-Tool, but can be found at www.logwatch.org It is a tool that parses your system logs, analyzes specific sections and sends a summarized report to an administrator. It's already included in many unix based operating systems and, if not, will usually install and just work. DNSSEC-Tools has created a logwatch filter that parses Bind's named output.

Getting started with logwatch

If you have v7.1+ of logwatch on your system, nothing should have to be done. The filter is already included. If you have v6, you can add our filter to it, see our logwatch documentation and www.logwatch.org.

The addition to the logwatch report will look similar to this,

################### LogWatch 6.0.2 (04/25/05) #################### 
        Processing Initiated: Thu Jul  7 10:13:34 2005
        Date Range Processed: all
      Detail Level of Output: 10
              Type of Output: unformatted
           Logfiles for Host: host.example.com
  ################################################################## 
 
 --------------------- DNSSEC Begin ------------------------ 

 No Valid Signature received 6 times
 
 Detail >= 5 log messages:
    Marking as secure 97 times
    Verified rdataset succeeded 97 times
    Attempted positive response validation 96 times
    Nonexistence proof found 20 times
    Attempted negative response validation 18 times
    Validation OK 2 times
 
 ---------------------- DNSSEC End ------------------------- 

 
 --------------------- Resolver Begin ------------------------ 

 
    Received validation completion event  171 times
    Validation OK  125 times
    Nonexistence validation OK received  46 times
 
 ---------------------- Resolver End ------------------------- 
 
 ###################### LogWatch End ######################### 

General Error Checking Tools

Check out the error checking tools section below. It includes general DNSSEC error checking tools as well as tools that error check for a specific type of use or user. Some of the tools may be useful to you even though we didn't think they applied specifically to authoritative DNSSEC server administration.

Software Summary

[edit] Authoritative Domain Name Server Tools
zonesigner	Manual Example CLI Help	Will generate keys and sign zones with one command.
rollerd	Manual Example CLI Help	Automatic key rollover. A daemon which automatically (or manually) steps through updating Zone Signing and Key Signing Keys for a set of zones. It can be controlled while running with rollctl.
rollctl	Manual Example CLI Help	Send commands to daemon rollerd without restarting rollerd.
donuts	Manual Example CLI Help	Error check the contents of your zone. You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks.
donutsd	Manual Example CLI Help	Daemon that regularly checks the contents of a set of zonees.
mapper	Manual Example CLI Help	Graphically display the contents of your zone
dnspktflow	Manual Example CLI Help	Visually trace DNS packets being sent on the network.
logwatch	Example	Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.

[edit] DNS Error Checking Tools
dnspktflow	Manual Example CLI Help	Visually trace DNS packets being sent on the network.
validate	Manual CLI Help	command line DNS validation checking (similar to dig). This is part of the libval and libsres package.
mapper	Manual Example CLI Help	Graphically display the contents of your zone
trustman	Manual CLI Help	Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon.
donuts	Manual Example CLI Help	Error check the contents of your zone. You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks.
logwatch	Example	Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages.