DNSSEC-Tools is a project that provides tools for DNS administrators.
The DNSSEC-Tools package is a collection of tools, scripts, Perl modules, C libraries, and application patches that are useful for DNS zone administrators and end users to deploy DNS Security (DNSSEC).
The various pieces of the DNSSEC-Tools project are spread across several directories. These pieces are briefly described here.
Most of the tools take a --version flag to let you know their individual version number. The numbers reported will be < 0.9 if they're to be considered "alpha" quality. If >= 0.9 and < 1.0 then they should be considered "beta". Version numbers of 1.0 and above should be considered more well-tested, robust and less likely to change.
CONTENTS of "DNSSEC Tools":
- A library that is capable of sending queries to, and receiving answers from a DNSSEC-aware name server.
- A library that provides DNSSEC resource-record validation functionality.
- Application Patches and DNSSEC Support:
- Patches to libspf2 to provide DNSSEC validation of DNS queries.
- Patches to mozilla 1.7.10 to enable DNSSEC name checking validation on visited URLs.
- Patches to sendmail and spfmilter to provide DNSSEC validation of DNS queries.
- A thunderbird extension to display the x-dnssec field in the Received-SPF header.
- Perl scripts for signing DNSSEC zones and maintaining those signed zones.See the tools/scripts/README file for details.The vast majority of the useful DNSSEC-Tools scripts (like zonesigner) are contained in this directory.
- A tool which can display the sequence of queries and their results used to validate a DNS query.The stderr output of this command can serve as input to the drawvalmap tool described below.
- A dnssec aware zone file checker / lint-like application.
- Runs donuts on zone files on a regular bases (eg, daily) and emails the results.Useful for knowing when zone data breaks due to DNSSEC signatures expiring or other data consistency issues).
- Patches to logwatch configuration files and scripts to manage log files for BIND security function.These patches are now included in the recent releases of logwatch and may not be needed if you have a recent release.
- A tool which can produce visual diagrams of DNS traffic flows which have been captured using tcpdump.
- A tool that can generate graphical maps of DNS zones, including color coding of DNSSEC related data.
- DNSSEC-Tools Perl modules.These modules provide interfaces for such things as reading configuration files and manipulating DNSSEC-Tools-specific data.
- A perl module wrapper around the libval library.
- A variation of dnspktflow which can produce visual diagrams of DNS queries sent by the validator while performing DNSSEC validation.The input for this command can come from the validate tool described above.
- Data required by DNSSEC-Tools programs.
- This is a script which can be used to securely auto-update a DNS entry when an IP address is assigned to an interface.
- Patch files to be applied to existing programs.
What's New in This Release: [ read full changelog ]
· This release contains many new features, including support for nsec3, enhanced rollerd deployment modes, and new tools such as lsdnssec and getds.
· Additionally, it contains some bugfixes over the 1.4 series of code.