1MAKETESTZONE(1)       User Contributed Perl Documentation      MAKETESTZONE(1)
2
3
4

NAME

6       generaterecords - generates a test dnssec zone that can be used to
7       DNSSEC
8

SYNOPSIS

10       generaterecords -v -d mytestzone.example.com
11

DESCRIPTION

13       The generaterecords script generates a zone file, given a domain name,
14       which is then signed and modified to invalidate portions of the data in
15       particular ways.  Each generated record is named appropriately to how
16       the security data is modified (the gooda record will contain a A record
17       with valid DNSSEC data, but the badseca record will contain an A record
18       where the signature has been modified to invalidate it).
19
20       The results of this process can then be served and test secure
21       validators, applications, and other software can be thrown at it to see
22       if they properly fail or succeed under the dns security policies being
23       deployed.
24
25       After the files are generated, consider running donuts on them to see
26       how the data in them has been tampered with to be invalid.
27

PRE-REQUISITES

29       zonesigner from the dnssec-tools project bind software 9.3.1 or greater
30

GETTING STARTED

32       To get started creating a new zone, you'll need to tell zonesigner to
33       create new keys for all of the new zones that maketestzone creates.
34       Thus, the first run of maketestzone should look like:
35
36       First Time:
37           maketestzone -k [OTHER DESIRED OPTIONS]
38
39       After that, the generated zone files can be loaded and served in a test
40       server.
41
42       Once every 30 days (by default via zonesigner) the script will need to
43       be rerun to recreate the records and resign the data so the signature
44       date stamps remain valid (or in some cases invalid).
45
46       Every 30 days:
47           maketestzone [OTHER DESIRED OPTIONS]
48

OPTIONS

50       Below are thoe options that are accepted by the maketestzone tool.
51
52   Output File Naming:
53       -o STRING
54       --output-file-prefix=STRING
55           Output prefix to use for zone files (default = db.)
56
57       -O STRING
58       --output-suffix-signed-file=STRING
59           Output suffix to be given to zonesigner (default = .zs)
60
61       -M STRING
62       --output-modified-file=STRING
63           Output suffix for the modified zone file (default = .modified)
64
65       -D
66       --run-donuts
67           Run donuts on the results
68
69       --donuts-output-suffix=STRING
70           The file suffix to use for donuts output (default = .donuts)
71
72   Output Zone Information:
73       -d STRING
74       --domain=STRING
75           domain name to generate records for
76
77       --ns=STRING
78       --name-servers=STRING
79       -n STRING
80           Comma separated name=addr name-server records
81
82       --a-addr=STRING
83       --a-record-address=STRING
84           A record (IPv4) address to use in data
85
86       --aaaa-addr=STRING
87       --a-record-address=STRING
88           AAAA record (IPv6) address to use in data
89
90   Output Data Type Selection:
91       -p STRING
92       --record-prefixes=STRING
93           Comma separated list of record prefixes to use
94
95       -P STRING
96       --ns-prefixes=STRING
97           Comma separated list of NS record prefixes to use
98
99       -c
100       --no-cname-records
101           Don't create CNAME records
102
103       -s
104       --no-ns-records
105           Don't create sub-zone records
106
107   Task Selection:
108       -g
109       --dont-generate-zone
110           Do not generate the zone; use the existing and sign/modify it
111
112       -z
113       --dont-run-zonesigner
114           Do not run zonesigner to sign the records
115
116       -Z
117       --dont-destroy
118           Do not destroy the records and leave them properly signed
119
120       --bind-config=STRING
121           Generate a bind configuration file snippit to load the DB sets
122
123       --html-out=STRING
124           Generate a HTML page containing a list of record names
125
126       --apache-out=STRING
127           Generate a Apache config snippit for configuring apache for each
128           zone record
129
130       --sh-test-out=STRING
131           Generate a test script for running dig commands
132
133       -v
134       --verbose
135           Verbose output
136
137   Zonesigner Configuration:
138       -a STRING
139       --zonesigner-arguments=STRING
140           Arguments to pass to zonesigner
141
142       -k
143       --generate-keys
144           Have zonesigner generate needed keys
145
146   Bind Configuration Options
147       --bind-db-dir=STRING
148           The base directory where the bind DB files will be placed
149
150   HTML Output Configuration
151       --html-out-add-links
152           Make each html record name a http link to that address
153
154       --html-out-add-db-links
155           Add a link to each of the generated DB files.
156
157       --html-out-add-donuts-links
158           Add a link to each of the generated donuts error list files.
159
160   SH Test Script Configuration Options
161       --sh-test-resolver=STRING
162           The resolver address to force
163
164   Help Options
165       -h  Display a help summary (short flags preferred)
166
167       --help
168           Display a help summary (long flags preferred)
169
170       --help-full
171           Display all help options (both short and long)
172
173       --version
174           Display the script version number.
175

ADDING NEW OUTPUT

177       The following section discusses how to extend the maketestzone tool
178       with new output modifications.
179
180   ADDING LEGEND INFORMATION
181       For the legend HTML output, the %LegendInformation hash contains a
182       keyname and description for each modification type.
183
184   ADDING NEW SUBZONE DIFFERENCES
185       The %zonesigner_domain_opts hash lists additional arguments between how
186       zonesigner is called for various sub-domains.  Thus you can create
187       additional sub-zones with different zonesigner optionns to test other
188       operational parameters between parent and child.  For example:
189
190          'rollzsk-ns.' . $opts{'d'} => '-rollzsk',
191
192       Forces the rollzsk-ns test sub-zone to roll it's zsk when the zone is
193       signed.
194
195   ADDING NEW RECORD MODIFICATIONS
196       Maketestzone is in early development stages but already has the
197       beginnings of an extnesible system allowing you to modify records at
198       will based on regexp => subroutine hooks.
199
200       To add a new modification, add a new keyword to the 'p' and optionally
201       'P' default flags (or add it at run time), and then add a new function
202       to the list of callbacks defined in the %destroyFunctions hash that is
203       based on your new keyword.  When the file is getting parsed and hits a
204       record matching your expression, your functional will be called.
205       Arguments can be added to the function by passing an array reference
206       where the first argument is the subroutine to be called, and the
207       remainder are additional arguments.  Output lines should be printed to
208       the $fh file handle.
209
210       Here's an example function that deletes the RRSIG signature of the next
211       record:
212
213         sub delete_signature {
214             # the first 2 arguments are always passed; the other was in the
215             # array refeence the subroutine was registered with.
216             my ($name, $type, $expr) = @_;
217
218             Verbose("  deleting signatures of $_[0]");
219
220             # print the current line
221             print $fh $_;
222
223             my $inrec = 0;
224             while (<I>) {
225               # new name record means we're done.
226               last if /^\w/;
227
228               # we're in a multi-line rrsig record
229               $inrec = 1 if (/$expr\s+$type/);
230
231               # print the line if we're not in the rrsig record
232               print $fh $_ if (!$inrec);
233
234               # when done with the last line of the rrsig record, mark this spot
235               $inrec = 0 if (/\)/);
236             }
237         }
238
239       This is then registered within %destroyFunctions.  Here's an example of
240       registering the function to delete the signature on a DS record:
241
242          '^(nosig[-\w]+).*IN\s+NS\s+' => [\&delete_signature, 'DS', 'RRSIG'],
243
245       Copyright 2004-2013 SPARTA, Inc.  All rights reserved.  See the COPYING
246       file included with the DNSSEC-Tools package for details.
247

AUTHOR

249       Wes Hardaker <hardaker@users.sourceforge.net>
250

SEE ALSO

252       Net::DNS
253
254       http://dnssec-tools.sourceforge.net
255
256       zonesigner(1), donuts(1)
257

POD ERRORS

259       Hey! The above document had some coding errors, which are explained
260       below:
261
262       Around line 1009:
263           You forgot a '=back' before '=head2'
264
265       Around line 1011:
266           '=item' outside of any '=over'
267
268       Around line 1039:
269           You forgot a '=back' before '=head2'
270
271       Around line 1041:
272           '=item' outside of any '=over'
273
274       Around line 1067:
275           You forgot a '=back' before '=head2'
276
277       Around line 1069:
278           '=item' outside of any '=over'
279
280       Around line 1093:
281           You forgot a '=back' before '=head2'
282
283       Around line 1095:
284           '=item' outside of any '=over'
285
286       Around line 1135:
287           You forgot a '=back' before '=head2'
288
289       Around line 1137:
290           '=item' outside of any '=over'
291
292       Around line 1149:
293           You forgot a '=back' before '=head2'
294
295       Around line 1151:
296           '=item' outside of any '=over'
297
298       Around line 1155:
299           You forgot a '=back' before '=head2'
300
301       Around line 1157:
302           '=item' outside of any '=over'
303
304       Around line 1169:
305           You forgot a '=back' before '=head2'
306
307       Around line 1171:
308           '=item' outside of any '=over'
309
310       Around line 1175:
311           You forgot a '=back' before '=head2'
312
313       Around line 1177:
314           '=item' outside of any '=over'
315
316
317
318perl v5.32.1                      2021-01-26                   MAKETESTZONE(1)
Impressum