DNSSEC-Tools Software Overview

The following table shows the software available in the DNSSEC-Tools 0.9.2 package.

To retrieve these applications and components, please see our Download page.

Many of the tools in the table below have screen shots of their GUI interface. The GUI interface is optional. A large number of the tools can be used with a normal command line options or (if you have the QWizard and Gtk2 perl modules installed) by simply launching it without arguments and a GUI wizard interface will appear to walk you through selecting the right options. Users can pick which mode is most comfortable for them. The GUI interfaces require installation of the optional perl modules on the download page.

DNS Zone Administration Applications:

Tool Description CLI Example GUI Example
(Optional Interface)
zonesigner: A zone database signing utility that takes care of all necessary steps to sign and maintain a zone with as little hassle as possible. CLI Help Example Output [none]
donuts: A dnslint like application to analyze zone files. Run on local zone files, it is specifically tailored to dnssec but also tests for more general (non-dnssec) problems. CLI Help Example Output
donutsd: A long running daemon that routinely runs donuts on a number of zones and e-mails the appropriate administrators. It is intened to notify admins when their zones are expiring or have other problems. CLI Help
ifup-dyn-dns: A linux ifup addition that propagates current IP addresses into a live zone(s) using dynamic DNS. Allows for security to be used as well so transfers are properly authenticated. [none] [none]

Network Operation Applications for DNS Deployment:

Tool Description CLI Example GUI Example
(Optional Interface)
TrustMan: TrustMan runs by default as a daemon to verify if keys stored locally in configuration files like named.conf still match the same keys as fetched from the zone where they are defined. If mismatches are detected, the daemon notifies the contact person defined in the config file or on the command line by mail. CLI Help
(GUI in next release)
trustman: trustman runs by default as a daemon to monitor zones for the appearance of new keys which can be added as trust anchors. When a new key is observed, a timer is set. After this timer expires, if the new key is still observed in the keyset, mail is sent to the administrator advising that this key can now be configured as a trust anchor. CLI Help [none]
rollerd: The rollerd daemon manages key roll-over for zones. The Pre-Publish Method of key roll-over is used for ZSK key roll-overs. (Currently, rollerd only handles ZSK roll-over.) This method uses a four phase process that is entered into when it is time to perform a ZSK roll-over. CLI Help [none]
rollctl: The rollctl command sends commands to the DNSSEC-Tools roll-over dae- mon, rollerd. Multiple options may be specified on a single command line and they will be executed in alphabetical order. The exception to this ordering is that the -shutdown command will always be executed last. CLI Help [none]

DNS Debugging Applications::

mapper: Maps DNS realms color coding the results to allow for easy visual interpretation of the results. Color codes are based on record types and/or errors and warnings. CLI Help
dnspktflow: This tool, when combined with tethereal and graphviz, can trace tcpdump/tethereal network packet captures to visually diagram dns packet flows. It is very useful for debugging dns queries being issued to resolvers, etc. It outputs png files or MagicPoint packet-by-packet screen presentations. CLI Help
maketestzone: This tool generates a zone file(s) full of DNS records, then signs them, and then modifies them in various ways such that the final resulting file is a zone which contains DNSSEC "errors". This is useful for generating test data which DNSSEC aware software can be tested against. Our own test.dnssec-tools.org testzone is created using this package. CLI Help


libval and libsres: These libraries implement DNSSEC aware DNS resolution APIs. They offer both simple to use replacements for existing common resolver functions (eg, val_gethostbyname is a replacement for gethostbyname) and more complete APIs to return the results of validation at each step in validating a DNSSEC chain up to a trust anchor.

Perl modules:

Net::DNS::SEC::Tools::conf: Parses Net::DNS::SEC::Tools specific configuration files
Net::DNS::SEC::Tools::keyrec: Manipulates key records for the dnssec-tools that deal with keys
Net::DNS::SEC::Tools::tooloptions : Implement option lists for perl based dnssec-tools for key manipulation.
Net::DNS::ZoneFile::Fast We've taken over development of this module and have made it dnssec compliant so it can load zone files with DNSSEC records in them.

Patches or plugins to other applications:

Sendmail / Postfix / libspf A patch to validate SPF rules, incoming connections, etc against DNSsec records to ensure lookups within MTAs are not using spoofed DNS records.
Thunderbird A plugin which automatically displays the DNSSEC validation headers in the Thunderbird E-Mail reader
FireFox & Mozilla A patch which enables DNSSEC validation of DNS lookups in the firefox application suite (the firefox browser, mozilla, etc).
LogWatch A configuration plugin to logwatch to have logwatch perform DNSSEC parsing of system logging messages from running bind servers. (this patch is now included in the latest release of logwatch) Example Output

Last modified: Mon Nov 2 12:14:53 PST 2009