From DNSSEC-Tools
Revision as of 14:42, 14 April 2008 by Hardaker (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The DNSSEC-Tools tutorials are written in sections that are each targeted towards the needs of particular users. Feel free to read just the sections you need, or to browse through them all. If you browse them all, be aware that some tools are listed in multiple sections if they're of use to multiple types of DNSSEC-Tools users.

How to Use DNSSEC-Tools / ShortTorials

In large part, how to use DNSSEC-Tools depends on who you are, and how you want to use DNSSEC. The following are descriptions of the expected types of uses/users of DNSSEC-Tools and links to wiki pages with short tutorials on which DNSSEC-Tools to use for that purpose and how to get up and running with those tools.

If you want to try the commands yourself, be sure to get and install DNSSEC-Tools first.

This screenshot shows some of the most popular DNSSEC-Tools components (in yellow) and what their primary user is intended to be:

Error creating thumbnail: File missing

Authoritative Zone: ShortTorial

Administrators of authoritative zones will want want to setup and maintain DNSSEC supporting authoritative zones. These administrators are responsible for one or more DNS zones and want at least some of the zones to be signed with DNSSEC validated data available for the signed zones. Most administrators who are responsible for an authoritative zone are also authoritative server administrators, but not always. DNSSEC-Tools provides tools for easily signing a zone and verifying that the resulting data is valid.

If you only want to learn one new thing today, then learn to Sign Your Zone.

Authoritative Server: ShortTorial

Administrators of authoritative servers will want to setup and maintain a DNSSEC supporting authoritative DNS server. They are responsible for one or more servers that serve out zones with signed DNSSEC validated data. With the possible exception of end applications, this is where the majority of DNSSEC zone maintenance is done and where the majority of DNSSEC-Tools can help. DNSSEC-Tools provides tools for easily signing a zone, ensuring that a zone is always signed, rolling signing keys on a regular basis, and verifying that the resulting data is valid.

Recursive Server: ShortTorial

Recursive server administrators will want to setup and maintain a DNSSEC aware validating recursive server. Validating servers are Domain Name Servers that perform DNS look-ups and verify the integrity of the data using DNSSEC data published with the zone records. Validating recursive servers may operate on a small or large scale. A recursive server could be run for the use of a single machine, a small network, a large enterprise or an ISP. The DNS would be configured with a list of zones that require DNSSEC validation and the trust anchors that are used as cryptographic starting points. DNSSEC-Tools provides tools for managing trust anchors, detecting and tracking trust anchor changes, as well as debugging tools for identifying the source of DNS related problems.

Develop DNSSEC-aware applications: ShortTorial

Application developers will want to add DNSSEC support to their applications. DNSSEC-Tools' libval and libsres provide needed application-level DNSSEC validation and results to application developers.

Using DNSSEC-aware applications: ShortTorial

End-users at the desktop will want to use DNSSEC-aware applications on their machine. They could be someone who wants their application to check DNSSEC validation when web browsing, making connections with ssh, or downloading files with wget. They could also be a person, group, or company that wants to have their mail (MTA) server use DNSSEC validation when sending out mail. DNSSEC-Tools provides a plethora of application patches that have been created as part of the DNSSEC-Tools project that allow various applications to support DNSSEC directly using the libval DNSSEC validating library. Read the ShortTorial for more info.

Using DNSSEC-Tools with Split-View Zones: ShortTorial

Current operation of the Domain Name System allows for the creation of multiple views of data, where the answer returned in response to a query is dependent on the origin of the query. For example, an organization may wish its DNS server to provide different answers to queries originating on the organizations LAN than it provides to queries coming from the outside world.

Read the ShortTorial for more info.

Options with Running rollerd, the DNSSEC-Tools Zone Rollover Manager: ShortTorial

rollerd is the zone rollover manager provided by DNSSEC-Tools. There have been a number of optional enhancements provided since it was first introduced, such as alternate queuing method and site-specific rollover commands.

Read the ShortTorial for more info.

Rollover Realms: Multiple, Simultaneous, Independent Rollover Environments: ShortTorial

The rollover environment provided by DNSSEC-Tools allows multiple instances of rollerd to execute at once. However, it can be a little tricky initializing, running, and managing these distinct rollover environments. The DNSSEC-Tools realms tools make it easier to use a set of independent rollover environments instead of a single monolithic environment.

Read the ShortTorial for more info.