|
|
| DNSSEC Software, DNSSEC Tools, DNSSEC Utilities
|
|
|
 Related Software Tools
 General DNS Tools & Utilities
 |  |  |  |  Autotrust by Matthijs Mekking, NLnet Labs
Autotrust is a commandline tool to automatically update your DNSSEC trust anchors. It is intended to run from a cron job and can run next to any validatiing resolver. It makes use of ldns and libunbound.
|  |  |  |  |
| | | | BIND 9 by Internet Systems Consortium (ISC)
The BIND Nameserver from ISC is used on the vast majority of name serving machines on the Internet and is the reference implementation of DNS. Most (not all) of the current DNSSEC Projects are based on BIND version 9.x
| | | | |
| | | | CADR by EP.NET, LLC
CADR (a somewhat contrieved acronym for "DNSSEC Authenticated DNS Registry") is a registry for DNS data. I.e. CADR is a system in the same ballpark as registries run by TLDs to manage delegation information or, in some environments, run by registrars to manage delegation information for customers for further propagation to a registry (typically for a TLD). CADR is different from other registries by utilizing the in-band authentication of DNS data provided by DNSSEC. This enables a new level of simplicity in the management of the parent-child relation at a zone cut (aka a delegation point) and perhaps that makes CADR the first example of an application where DNSSEC adds simplicity rather than complexity. With CADR it becomes possible to mostly do away with the maintenance of delegation information in the parent and replace this with mostly a notification service where the child admin informs the parent that it is time to synchronize the delegation information in the parent (presumably because the authoritative information in the child has been updated).
| | | | |
| | | | dig +sigchase patch by Olivier Courtay (ENST Bretagne)
This patch adds the +sigchase option to ISC's dig program program. When using sigchase with any regular dns query, dig(1) will try to verify SIG records that belong to the record and further will try to verify them recursively for all the keys and DS that form the chain of trust all the way up to any self signed or not signed key.
| | | | |
| | | | DLV Test by DNS-OARC
OARC maintains a number of DNS zones that may be used to test DLV registries for correct operation. * These zones exists only so that they will be published in DLV registries * The zone content is intended to be very stable * The zones are signed with keys that expire in the year 2029 so that there are effectively no key rollovers.
| | | | |
| | | | DNS Reply Size Test by DNS-OARC
Recent increases in DNSSEC deployment are exposing problems with DNS resolvers (clients) that cannot receive large responses. The maximum reply size between a DNS server and client may be limited by a number of factors: * If a client does not support the Extension Mechanisms for DNS (EDNS), replies are limited to 512 bytes * The client may be behind a firewall that blocks IP fragments * Some DNS-aware firewalls block responses larger than 512 bytes. This test helps users identify resolvers that cannot receive large DNS replies.
| | | | |
| | | | DNSCheck by .SE, The Internet Infrastructure Foundation
DNSCheck is a program that was designed to help people check, measure and hopefully also understand the workings of the Domain Name System, DNS. When a domain (aka zone) is submitted to DNSCheck it will investigate the domain's general health by traversing the DNS from root (.) to the TLD (Top Level Domain, like .SE) to eventually the nameserver(s) that holds the information about the specified domain (like iis.se). Some other sanity checks, for example measuring host connectivity, validity of IP-addresses and control of DNSSEC signatures will also be performed.
| | | | |
| | | | DNSJava by Brian Wellington (Nominum)
DNSJava is an implementation of DNS in Java. It supports all of the common record types and the DNSSEC types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.
| | | | |
| | | | DNSPython by Bob Halley (Nominum)
DNS toolkit for Python. It supports almost all DNS record types. It can be used for queries, zone transfers, and dynamic updates. It supports TSIG authenticated messages and EDNS0.
| | | | |
| | | | DNSRuby by Nominet UK
Dnsruby is a thread-aware DNS stub resolver library written in Ruby, with support for DNSSEC (and NSEC3). It is based on resolv.rb, the standard Ruby DNS implementation, but gives a complete DNS implementation complying with all relevant RFCs. The Resolv class can be used to resolve addresses using /etc/hosts and /etc/resolv.conf, or the DNS class can be used to make DNS queries. These interfaces will attempt to apply the default domain and searchlist when resolving names. The Resolver and SingleResolver interfaces allow finer control of individual messages. The Resolver class sends queries to multiple resolvers using various retry mechanisms. The SingleResolver class is used by Resolver to send individual Messages to individual resolvers. Resolver queries return Dnsruby::Message objects. Message objects have five sections: * The header section, a Dnsruby::Header object. * The question section, a list of Dnsruby::Question objects. * The answer section, a list of Dnsruby::Resource objects. * The authority section, a list of Dnsruby::Resource objects. * The additional section, a list of Dnsruby::Resource objects. See also: DNSRuby project page.
| | | | |
| | | | DNSSEC Checker by SURFnet Labs
The DNSSEC Checking tool is an application that is able to validate your DNSSEC zones. This monitoring tool is able to find: * network related issues, such as firewall problems * trust related issues, such as incorrect secure parent.to.child delegations * zone related issues, such as time/duration problems * DNSSEC choices, such as NSEC vs. NSEC3. The DNSSEC Monitoring tool can be consulted online; it is therefore not necessary to install any additional programs.
| | | | |
| | | | DNSSEC Debugger by VeriSign Labs
The DNSSEC Debugger from VeriSign Labs is an on-line tool to assist with diagnosing problems with DNSSEC-signed names and zones.
| | | | |
| | | | DNSSEC Key Management Tools by Olaf Kolkman (RIPE NCC)
This is a beta release of a DNSSEC keymanagement tool that RIPE NCC has developed as part of the DISI project. This program suite was designed to ease DNSSEC key management. The suite provides a front-end to the BIND dnssec-keygen(8) and dnssec-signzone(8) tools. The suite contains, besides a number of libraries, the following programs: 1) maintkeydb: A shell in which you maintain your keys. 2) dnssigner: A signer that uses the keydatabase to sign zones. 3) dnssecmaint-config: A tool to create an initial config. 4) dnssec-copyprivate: Copies keypairs out of the keydatabase to a different location (Useful in combination with a dynamic zone.) Extensive documentation for this toolset is availble as HTML or PDF.
| | | | |
| | | | DNSSEC Smartcard Utility by Jakob Schlyter, Haakan Olsson
This is a DNSSEC smartcard utility written for NIC-SE. Any PKCS#15 smartcard supported by OpenSC can be used. Axalto Cryptoflex was used during development. To run this software, you also need OpenSC, OpenCT, PCSC lite, and a PCSC egate driver (depending on reader). Keys can be generated externally and copied to the smartcard(s) or generated on the card itself. It's recommend that you generate the key externally since this lets you copy the key to multiple smartcards. The next step is to initialize the card, create a PIN code to protect the card, store the key on the card and (optionally) finalize the card (i.e. block the card from further initialization).
| | | | |
| | | | DNSSEC Toolkit by Olivier Courtay (ENST Bretagne)
Set of primitive C functions which allow you to build any kind of DNSSEC tool or resolver. The tarball provides an example tool based on the library. Works on Linux, FreeBSD and maybe others. Note: requires openssl.
| | | | |
| | | | DNSSEC Tools (NIST.gov) by NIST.gov
Several DNSSEC Tools from the National Institute of Standards and Technology (NIST).
| | | | |
| | | | DNSSEC Tools Project (Sparta, Inc.) by Wes Hardaker et al (Sparta, Inc.)
The goal of the DNSSEC-Tools project is to create a set of tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC related technologies. Most of the tools are under very active development.
| | | | |
| | | | DNSSEC Verification Tool by Noa Resare
This service looks up a specific DNS record that is signed using DNSSEC, and finds all the DNSKEY, RRSIG, DS and DLV records that is used by a validating resolver to determine that the looked up record is correctly signed.
| | | | |
| | | | DNSSEC Walker by Simon Josefsson
This is a proof-of-concept of a utility to download DNS zone contents even when AXFR is disabled on the server, assuming DNSSEC is used. Optionally it can also verify all SIG RRs within a zone against the zone key. Requires Net::DNS::SEC.
| | | | |
| | | | DNSSEC Zone Key Tool (ZKT) by Holger Zuleger
DNSSEC Zone Key Tool is a small toolkit for DNSSEC zone and key management. The Zone Key Tool consists of two commands: 1) dnssec-zkt to create and list dnssec zone keys and 2) dnssec-signer to sign a zone and manage the lifetime of the zone signing keys. Both commands are simple wrapper commands around the dnssec-keygen(8) and dnssec-signzone(8) commands provided by BIND 9.3. They are designed to ease maintenance of DNSSEC aware zones.
| | | | |
| | | | DNSSHIM by Registro.br
DNSSHIM is open-source software that implements the Domain Name System (DNS) protocol for the Internet. Its main feature is to work as a Hidden Master nameserver providing information only to authoritative slave servers. Furthermore, DNSSHIM has the ability to manage, store and automatically resign zones using the DNS Security Extensions (DNSSEC).
| | | | |
| | | | DNSViz - DNS Visualization Tool by Casey Deccio, Sandia National Laboratories
DNSViz is a tool for visualizing the status of a DNS zone. It was designed as a resource for understanding and troubleshooting deployment of the DNS Security Extensions (DNSSEC). It provides a visual analysis of the DNSSEC authentication chain for a domain name and its resolution path in the DNS namespace, and it lists configuration errors detected by the tool.
| | | | |
| | | | Drill by Miek Gieben, Jelte Jansen (NLnet Labs)
Drill is a tool ala dig from BIND. It was designed with DNSSEC in mind and should be a useful debugging/query tool for DNSSEC.
| | | | |
| | | | Drill Extension for Firefox by Miek Gieben, Jelte Jansen (NLnet Labs)
This Firefox extension performs DNSSEC lookups for the main hostname of the current page. It uses Drill to chase the signatures up to a trusted key. The user can specify trusted keys by putting them in a directory of his choice. After installing the extension, the statusbar shows a new icon: normally, for unverified pages, the icon will be red. If the hostname record in the DNS is signed and can be traced up to a trusted key, the icon will be green.
| | | | |
| | | | IPSECKEY patch by David Fort (IRISA)
This is a patch that implements the ipseckey RR in BIND. IPSECKEY allows storage of public IPSEC keys in DNS. When two hosts want to communicate over IPSEC, they can fetch the public keys of the third party from DNS. Keys can be attached to the FQDN, or to the reverse address records (myhost.mydomain. or 1.0.0.10.in-addr.arpa.) Obviously these RR's are so sensitive that they should first be validated by DNSSEC before being used.
| | | | |
| | | | Java DNSSEC Tools by David Blacka (Verisign)
This is a collection of java-based DNSSEC command line tools. They are intended to be an addition or replacement for the DNSSEC tools that are part of BIND 9. These tools depend upon DNSjava, the Jakarta Commons CLI and Logging libraries, and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution. Currently, these tools use a custom version of the DNSjava library (for NSEC3 support), which is provided.
| | | | |
| | | | ldns by Miek Gieben, Jelte Jansen, Erik Roozendaal (NLnet Labs)
ldns is a library with the aim to simplify DNS/DNSSEC programing in C. It is heavily based upon the Net::DNS module from perl. With this library you can quickly create DNS/DNSSEC aware programs. The library has support for verifying DNSSEC material, TSIG, and all DNS operations. Signing is currently not supported, but is on the TODO list. Some example programs are included, and there's a mailing list where ldns related things are discussed.
| | | | |
| | | | libsresolv by David Fort (IRISA)
libsresolv is a library built with the BIND toolkit. It comes as a patch over the BIND 9.3 sources. It contains a DNSSEC resolver and validator. The goal is to show anything that can be proved from a DNSSEC answer. The validator proves positive and negative anwsers. It can prove that a domain doesn't exist, it can also prove that some domains are empty non-terminal ones. libsresolv performs bottom-up validation, it is signature oriented.
| | | | |
| | | | Net::DNS::SEC by Olaf Kolkman (RIPE NCC)
This is an extension to Michael Fuhr's Net::DNS package with DNSSEC functionality. Net::DNS::SEC is tightly integrated with Net::DNS but distributed separately because its dependency on libraries that may not port to all platforms.
| | | | |
| | | | Net::DNS::ZoneFile::Fast by Anton Berezin, Wes Hardaker
The Net::DNS::ZoneFile::Fast module provides an ability to parse zone files that BIND8 and BIND9 use, fast. Currently it provides a single function, parse(), which returns a reference to an array of traditional Net::DNS::RR objects, so that no new API has to be learned in order to manipulate zone records. Great care was taken to ensure that parse() does its job as fast as possible, so it is interesting to use this module to parse huge zones. As an example datapoint, it takes less than 5 seconds to parse a 2.2 MB zone with about 72000 records on an Athlon XP 2600+ box. This module includes patches for DNSSEC.
| | | | |
| | | | NSD by NLnet Labs / RIPE NCC
The NLnet Labs Name Server Daemon (NSD) is an authoritative only, high performance, simple and open source name server. It comes with DNSSEC support. NSD is developed from scratch and does not share code or design with other implementations. NSD consists of two programs: the zone compiler 'zonec' and the name server 'nsd' itself. The name server works with an intermediate database prepared by the zone compiler from standard zone files. For NSD operation this means that zones have to be compiled by zonec before NSD can use them. All this can be controlled by a simple control script called 'nsdc' which uses a simple configuration file. NSD is currently used on root servers such as k.root-servers.net and is also in use by several top-level domain registries. NSD is also used as the name server software of DNSSEC appliances.
| | | | |
| | | | OpenDNSSEC by OpenDNSSEC Team
OpenDNSSEC is a tool which simplifies the process of signing one or more zones with DNSSEC. OpenDNSSEC handles the entire process from an unsigned to a signed zone automatically, including secure key management and timing issues. With OpenDNSSEC, fewer manual operations are needed by the operator. OpenDNSSEC makes sure that all the steps in signing process are done in the correct order and at the right time, making sure that nothing breaks. The issue of handling the private keys associated with DNSSEC signing has been secured by using so called HSM:s (Hardware Security Modules), so that the private keys can not be leaked to an unauthorized third party, just keeping them secured in hardware. It is an open source solution under a BSD license that gives a green light to suppliers of commercial products who want to utilise the open source code and include it in their own software, without having to open up their own code. OpenDNSSEC works in all Unix-like operating systems and is suitable for those who will only sign a single large zone (e.g. TLDs) and as well as those who have many small zones (e.g. web hosting companies, ISPs).
| | | | |
| | | | pydig by Shumon Huque
A small python program to perform DNS queries. It works mostly similarly to the dig program that comes with bind. And in general, for most queries, there is no reason to use it in preference to dig. However, it does a few things differently the programmer needed from time to time, such as optionally presenting a hexdump of the rdata rather than decoding it, decoding the exponent in a RSA/SHA-1 DNSKEY, printing out names of DNSSEC related crypto hashes and algorithms, counting how many compression references were followed etc. It also has an option to walk a DNSSEC secured zone and enumerate all it's resource records. RR type and class codes (qtype and qclass) unknown to this program can be specified with the TYPE123 and CLASS123 syntax. This program is self contained, doesn't need to be installed in any particular location, and doesn't depend on any 3rd party modules. All it needs is a recent version of Python (and its standard library).
| | | | |
| | | | Rapid Enumeration Tool (RET) by Nominet UK
The Rapid Enumeration Tool (RET) is designed to use DNSSEC NSEC records to enumerate quickly zone data whilst evading detection by systems which might be designed specifically to identify zone enumeration activity. It does this by using one or more open recursive resolvers to forward queries to the authoritative name servers for the zone. Each resolver is configured with its own 'personality', specifying query rates, query failure/success ratio, proportions of query types, query name decoration, etc. This allows the RET to feed queries to each resolver, that are specifically tailored to match the queries that a resolver might typically send to the authoritative name server. Unlike other NSEC resource record 'walkers', the RET does not explicitly query for NSEC RRs to walk the zone. Instead, it combines a 'walker' approach with a dictionary attack (combined with a random name generator for more awkward cases). This means that discernible artifacts in the pattern of queries that arrive at the authoritative servers should be minimised.
| | | | |
| | | | Unbound for Linux / BSD / Solaris / MacOS by Verisign, NLnet Labs, Nominet, Kirei, EP.net
Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. Unbound is IPv6 compatible. NSEC3 is also supported. The source code is under a BSD License.
| | | | |
| | | | Unbound for Windows Port by Nominet, NLnet Labs
Unbound is a validating, recursive, and caching DNS resolver. The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net. Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible. NSEC3 is also supported. Windows Unbound is IPv6 compatible. The source code is under a BSD License.
| | | | |
| | | | Vantages by Colorado State Network Security Group
Vantages is a general framework for doing distributed monitoring and actuation through a set of "applications" that are built using its general facilities. The framework centers around a single daemon (called vantaged) that is designed to be run on an operational system. Vantages stores all of its data in a SQLite database and runs an embedded webserver for administration and peering. Though Vantages is a generic framework, its current applications focus on operational issues surrounding DNSSEC. In this context, the daemon hosts several different operations and can be configured to help maintain DNSSEC operations. These applications are: "D-Sync" and "DNSKEY Verification" and they are both discussed in detail on the applications page
| | | | |
| | | | vsResolver - Validating Stub Resolver by Bob Novas, Shinkuro, Inc.
The Validating Stub Resolver (vsResolver) is a DNS stub resolver that implements the Domain Name System Security Extensions (DNSSEC) specified in RFC 4033, RFC 4034 and RFC 4035. These add data origin authentication and data integrity to the Domain Name System. vsResolver extends the dnspython toolkit (dnspython) and uses the pycrypto library for its underlying crypto implementation (PyCrypto). Features: * DNS Security Extenstions (DNSSEC) Validating Stub Resolver * Written in python * * Extends dnspython, which uses pycrypto * Returns a query result along with a DNSSEC rating of BOGUS, PROVABLY_INSECURE or SECURE * negative results (e.g., NXDOMAIN) are also rated as BOGUS, PROVABLY_INSECURE or SECURE * See RFC4033, RFC4034 and RFC4035 for details on DNSSEC * Can be used as is as a utility to determine the DNSSEC status of a domain * Can be used as a software library to provide DNSSEC valiation to a DNS query.
| | | | |
| | | | YAZVS - Yet Another Zone Validation Script by VeriSign Labs
yazvs.pl is one of the utilities that VeriSign uses daily to validate new versions of the root and arpa zones before they are published to the distribution masters. It performs the following steps: 1. Read a candidate zone file from disk 2. Validate KSKs using a locally configured trust anchor 3. Validate ZSKs using KSKs 4. Validate RRSIGs using ZSKs 5. Retrieve the current zone data via AXFR 6. Print a summary of the number of KSKs, ZSKs, DS, and RRSIG records that have changed 7. Optionally produce a Unix diff of the two zones, excluding RRSIG/NSEC/NSEC3 records.
| | | | |
|
|
