From DNSSEC-Tools
Jump to: navigation, search
{{#if:| {{#if:| {{#if:| {{#if:1| {{#if:| {{#if:gotoDNSSEC-Nodes|
DNSSEC-Tools Component
This describes DNSSEC-Nodes, which in the Recursive Domain Name Server Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: DNSSEC-Nodes
Tool Type: Recursive Domain Name Server Tools
Manual: Manual


Example: Example


CLI: Help


Tutorial: Tutorial


How To: How To


Download: DNSSEC-Nodes


The DNSSEC-Nodes application is a graphical debugging utility that allows administrators to watch the data being logged into a libval or bind logging file.

Watch the Demonstration Video!!!

Error creating thumbnail: File missing
DNSSEC-Nodes Screen Shot


  • Dynamically issue DNS requests and the results will immediately update the graph
  • Display data found in log files from:
  • Filter results on the screen based on:
    • DNS Resource Record Types (A, AAAA, ...)
    • DNSSEC Status Results (Validated, Trusted, ...)
    • By regular expression name matching ("dnssec-tools")

Color Legend

The Help menu has a Legend option which will show the following screen:


How to Use DNSSEC-Nodes

By default, DNSSEC-Nodes starts with only a single node: the "root" node. As you start collecting information about other DNSSEC nodes, the graph will expand outward from this central node.


Note: the root node is colored yellow because the trust anchor configured for it is assumed to be trusted as configured by the operator. Technically, it is not "validated" since nothing validated it.

Querying for a DNS Record

The toolbar at the bottom of the screen has a dialog box for querying for new nodes, as well as selecting the typo to query. It also has zoom buttons allowing you to zoom in and out from the display.


Enter a name to look up in the bottom of the box. Here are some interesting names to try:

  • www.dnssec-tools.org (validated; i.e. green)
  • www.cnn.com (trusted and not validated; i.e. yellow)
  • badsign-a.test.dnssec-tools.org (untrusted/bogus; i.e. red)

Once you enter a name, hit return to see the graph updated with the new data.


Getting the Details

If you click on any node you'll get an informational line at the top of the display telling you the name of the node you clicked on, as well as offering you a "Details..." button for showing additional information. Alternatively, if you right-click on a node it'll bring up the additional information dialog box immediately.

The "additional information" dialog box presents you with all the details seen for the node so far. For example, here's the dialog box for the cnn.com node:


In this case, we've noticed that the DS record provably does not exist. This is where the tree becomes "provably insecure" and everything beyond it can only be "trusted" (unless additional trust anchors have been configured into the validator).

For the Experts Note: Although this data is actually published by the parent, the node name is registered with the child and this graph displays data based on the name associated with the record, not based on ownership.

The "Log Messages" tab also allows you to see the exact log messages from the validator that were captured and decoded.

Applying Data Filters

DNSSEC-Nodes also lets you selectively highlight nodes of particular interest based on:

  • Their DNSSEC Status (Validated, Trusted, Failed Validation, ...)
  • DNS Data Types (A, AAAA, DS, DNSKEY, ...)
  • By Name

Once you activate one of theses filters, a configuration widget is displayed letting you further refine your filtering choices.

Here's a screen showing the highlighting of any nodes that have failed validation. The rest of the nodes have been "dimmed" and the filtered nodes are also raised to the top of the stack for better visibility in cluttered diagrams.


Watching DNS Log Files

Under the file menu, you'll find menu options that will let you watch log files and continually update the graph as new data arrives. You'll need to configure your validating software to display the necessary debugging data to make use of this, however, and details for doing this can be found below.


The DNSSEC-Tools validating library can be configured globally within the dnsval.conf file (eg, /etc/dnssec-tools/dnsval.conf) by adding lines like the following:

       log 9:file:/var/log/libval.log

Then you can use the File -> Open and Watch a Log File menu item to track what happens in this file.

bind / named

The bind/named software can be configured to turn on very verbose debugging, which dnssec-nodes can then use by adding the following lines to the named.conf file (in a section of its own; i.e., not in the options section).

 logging {
       channel default_debug {
               file "/var/log/named/named.log"
                  versions 2
                  size     100m;
                  severity debug 9;
                  print-category yes;
                  print-severity yes;

This log file can then be watched using DNSSEC-Nodes.


Coming soon!


Limiting The Maximum Number of Nodes Shown

Using the Options -> Preferences menu, you can configure two methods of limiting the number of nodes shown on the screen. As the number of nodes gets very large you'll find the application begins to slow down. These options let you phase out the older data based on either the number of nodes collected so far, or based on time. You can either show at most "so many nodes" or limit what's on the screen based on how long ago the node's data was updated. You can turn both of these limiting factors on at the same time, as well, and the first one to trigger a node-removal will do so.


Example Log-Watching Screen-Shots

Here's a sample screen-shot of loading the cnn.com web page using the DNSSEC-Tools instrumented version of Firefox: