Is your domain secure?
The goal of the DNSSEC-Tools project is to create a set of tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC-related technologies.
For more information about this project and the tools that are being developed and provided, please see our project web page at:
Most of the tools, perl modules, and other things described on the web page above are easily installed by following the instructions in the INSTALL file. However, some of the results of this package are patches to external programs that will hopefully be fed back into those projects where possible. In the meantime, there are patches included within this source tree that can be applied to those other projects.
The various pieces of the DNSSEC-Tools project are spread across several directories. These pieces are briefly described here.
Most of the tools take a --version flag to let you know their individual version number. The numbers reported will be < 0.9 if they're to be considered "alpha" quality. If >= 0.9 and < 1.0 then they should be considered "beta". Version numbers of 1.0 and above should be considered more well-tested, robust and less likely to change.
Perl scripts for signing DNSSEC zones and maintaining those signed zones. See the tools/scripts/README file for details. The vast majority of the useful DNSSEC-Tools scripts (like zonesigner) are contained in this directory.
A tool which can display the sequence of queries and their results used to validate a DNS query. The stderr output of this command can serve as input to the drawvalmap tool described below.
A dnssec aware zone file checker / lint-like application.
Runs donuts on zone files on a regular bases (eg, daily) and emails the results. Useful for knowing when zone data breaks due to DNSSEC signatures expiring or other data consistency issues).
Patches to logwatch configuration files and scripts to manage log files for BIND security function. These patches are now included in the recent releases of logwatch and may not be needed if you have a recent release.
A tool which can produce visual diagrams of DNS traffic flows which have been captured using tcpdump.
A tool that can generate graphical maps of DNS zones, including color coding of DNSSEC related data.
DNSSEC-Tools Perl modules. These modules provide interfaces for such things as reading configuration files and manipulating DNSSEC-Tools-specific data.
A perl module wrapper around the libval library.
A variation of dnspktflow which can produce visual diagrams of DNS queries sent by the validator while performing DNSSEC validation. The input for this command can come from the validate tool described above.
Data required by DNSSEC-Tools programs.
This is a script which can be used to securely auto-update a DNS entry when an IP address is assigned to an interface.
Patch files to be applied to existing programs.
A library that is capable of sending queries to, and receiving answers from a DNSSEC-aware name server.
A library that provides DNSSEC resource-record validation functionality.
Patches to libspf2 to provide DNSSEC validation of DNS queries.
Contains the following:
- Patches to firefox to enable DNSSEC name checking validation on visited URLs.
- Patches to thunderbird to enable DNSSEC name checking validation on visited URLs
- An extension that displays DNSSEC status information
- A thunderbird extension to display the x-dnssec field in the Received-SPF header.
Patches to sendmail and spfmilter to provide DNSSEC validation of DNS queries.