Main Page
From DNSSEC-Tools
Contents |
Project Information
What is DNSSEC
The short answer: DNSSEC is a protocol extension to the internet's Domain Name System (DNS) that provides assurance that the information received from a Domain Name Server is authentic. For example, when a URL is typed into a browser, a user can be assured the IP address the machine connects with is correct.
For a longer answer look at these sites:
They answer the question as well or better than it will be answered here.
Why use DNSSEC
Insert scary story here, but basically DNSSEC should be used so a user can be sure the host to which they want to connect is the host with which their machine actually connects. If you are reading blogs or watching the latest funny myspace video, you probably don't care. If you're buying something online, sending private emails, going to your bank's website to pay bills, or doing online stock trades, it's a lot more important (and while this kind of attack is not known to be happening on a large scale yet, it has happened).
Who Wants To Use DNSSEC-Tools
Anyone who wants to:
- administer a zone with DNSSEC data,
- administer a DNSSEC supporting Domain Name Server
- Authoritative Server
- Recursive Server
- use DNSSEC aware applications on their local machine
- develop DNSSEC aware applications
- just to plain play around with DNSSEC to see what it's all about (this may be akin to some sickness, but on the bright side, you know who you are)
This is depicted graphically in the following slide, with some of the DNSSEC-Tools utilities shown in yellow boxes:
DNSSEC-Tools Components
The following is a list of the DNSSEC-Tools Components. See the link for further details.
Zone Administration Tools | ||
| zonesigner | Manual Example CLI Help | Will generate keys and sign zones with one command. |
| donuts | Manual Example CLI Help |  You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| mapper | Manual Example CLI Help |  |
Authoritative Domain Name Server Tools | ||
| zonesigner | Manual Example CLI Help | Will generate keys and sign zones with one command. |
| rollerd | Manual Example CLI Help | Automatic key rollover. A daemon which automatically (or manually) steps through updating Zone Signing and Key Signing Keys for a set of zones. It can be controlled while running with rollctl. |
| rollctl | Manual Example CLI Help |  |
| donuts | Manual Example CLI Help | You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| donutsd | Manual Example CLI Help |  |
| mapper | Manual Example CLI Help | |
| dnspktflow | Manual Example CLI Help |  |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |
Recursive Domain Name Server Tools | ||
| trustman | Manual CLI Help | Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon. |
| dnspktflow | Manual Example CLI Help | |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |
Application/Script Writers | ||
| libval libsres | Manual Manual | C libraries that implement DNSSEC aware DNS resolution APIs. |
| libval_shim | Manual | Preload shim library - maps DNS calls in legacy apps to equivalent DNSSEC functions. |
| Maketestzone | Manual | Generate a test dnssec zone that can be used to test DNSSEC validators. |
| Perl Modules: | ||
| Net::DNS::ZoneFile::Fast | Manual | Quickly read and parse a zone file into Net::DNS object records. |
| Net::DNS::SEC::Validator | Manual | Perl bindings to the libval and libsres libraries. |
| Net::addrinfo | Manual | interface to POSIX getaddrinfo and related constants, structures and functions |
End Users (DNSSEC Native Applications) | ||
| Firefox | README |   |
| Sendmail | HowTo | Patch to add DNSSEC support to Sendmail |
| Postfix | 2.3.x HowTo 2.2.x HowTo Example | Patch to add DNSSEC support to Postfix |
| LibSPF | HowTo | Patch to add DNSSEC support to Libspf2 |
| Thunderbird | README | Patch to add DNSSEC support to Thunderbird |
| ssh | README | Patch to add DNSSEC support to ssh |
| lftp | HowTo | Patch to add DNSSEC support to lftp |
| wget | HowTo | Patch to add DNSSEC support to wget |
| ncftp | HowTo | Patch to add DNSSEC support to ncftp |
| proftpd | HowTo | Patch to add DNSSEC support to proftpd |
| jabberd | Patch to add DNSSEC support to jabberd | |
DNS Error Checking Tools | ||
| dnspktflow | Manual Example CLI Help | |
| validate | Manual CLI Help | command line DNS validation checking (similar to dig). This is part of the libval and libsres package. |
| mapper | Manual Example CLI Help | |
| trustman | Manual CLI Help | Detects key changes in trust anchors (TAs), it can update TAs and it can run as a daemon. |
| donuts | Manual Example CLI Help | You can extend it by Writing your own rules donuts does general DNS error checking including DNSSEC-specific checks. |
| logwatch | Example | Included in current versions of logwatch A logwatch plugin for DNSSEC parsing of the BIND server's system logging messages. |
How to Use DNSSEC-Tools / ShortTorials
In large part, how to use DNSSEC-Tools depends on who you are, and how you want to use DNSSEC. The following are descriptions of the expected types of uses/users of DNSSEC-Tools and links to wiki pages with short tutorials on which DNSSEC-Tools to use for that purpose and how to get up and running with those tools.
If you want to try the commands yourself, be sure to get and install DNSSEC-Tools first.
This screenshot shows some of the most popular DNSSEC-Tools components (in yellow) and what their primary user is intended to be:
Authoritative Zone: ShortTorial
Administrators of authoritative zones will want want to setup and maintain DNSSEC supporting authoritative zones. These administrators are responsible for one or more DNS zones and want at least some of the zones to be signed with DNSSEC validated data available for the signed zones. Most administrators who are responsible for an authoritative zone are also authoritative server administrators, but not always. DNSSEC-Tools provides tools for easily signing a zone and verifying that the resulting data is valid.
If you only want to learn one new thing today, then learn to Sign Your Zone.
Authoritative Server: ShortTorial
Administrators of authoritative servers will want to setup and maintain a DNSSEC supporting authoritative DNS server. They are responsible for one or more servers that serve out zones with signed DNSSEC validated data. With the possible exception of end applications, this where the majority of DNSSEC zone maintenance is done an where the majority of DNSSEC-Tools can help. DNSSEC-Tools provides tools for easily signing a zone, ensuring that a zone is always signed, rolling signing keys on a regular basis and verifying that the resulting data is valid.
Recursive Server: ShortTorial
Recursive server administrators will want to setup and maintain a DNSSEC aware validating recursive server. Validating servers are Domain Name Servers that perform DNS look-ups and verify the integrity of the data using DNSSEC data published with the zone records. Validating recursive servers may operate on a small or large scale. A recursive server could be run for the use of a single machine, a small network, a large enterprise or an ISP. The DNS would be configured with a list of zones that require DNSSEC validation and the trust anchors that are used as cryptographic starting points. DNSSEC-Tools provides tools for managing trust anchors, detecting and tracking trust anchor changes, as well as debugging tools for identifying the source of DNS related problems.
Develop DNSSEC-aware applications: ShortTorial
Application developers will want to add DNSSEC support to their applications. DNSSEC-Tools' libval and libsres provide needed application-level DNSSEC validation and results to application developers.
Using DNSSEC aware applications: ShortTorial
End-users at the desktop will want to use DNSSEC aware applications on their machine. They could be someone who wants their application to check DNSSEC validation when web browsing, making connections with ssh, or downloading files with wget. They could also be a person, group, or company that wants to have their mail (MTA) server use DNSSEC validation when sending out mail. DNSSEC-Tools provides a plethora of application patches that have been created as part of the DNSSEC-Tools project that allow various applications to support DNSSEC directly using the libval DNSSEC validating library. Read the ShortTorial for more info.
Learn about DNSSEC firsthand: ShortTorial
Everyone will want to play with DNSSEC to figure out what it is about!
Project Administration Pages
Misc Discussion Items
- Validator discussion items
- Current resolver requirements
- Root key distribution mechanisms
TODO
- Validator TODO
- Applications being worked on to support DNSSEC
- Command Line and Configuration File Loading Behaviour
Developer Information
DNSSEC Resources / Links
- http://www.dnssec.net/
- http://www.dnssec-deployment.org/
- IETF Working Groups
- External links
