1MAKETESTZONE(1) User Contributed Perl Documentation MAKETESTZONE(1)
2
6 generaterecords - generates a test dnssec zone that can be used to
7 DNSSEC
8
10 generaterecords -v -d mytestzone.example.com
11
13 The generaterecords script generates a zone file, given a domain name,
14 which is then signed and modified to invalidate portions of the data in
15 particular ways. Each generated record is named appropriately to how
16 the security data is modified (the gooda record will contain a A record
17 with valid DNSSEC data, but the badseca record will contain an A record
18 where the signature has been modified to invalidate it).
19 The results of this process can then be served and test secure valida‐
21 tors, applications, and other software can be thrown at it to see if
22 they properly fail or succeed under the dns security policies being
23 deployed.
24 After the files are generated, consider running donuts on them to see
26 how the data in them has been tampered with to be invalid.
27
29 zonesigner from the dnssec-tools project bind software 9.3.1 or greater
30
32 To get started creating a new zone, you'll need to tell zonesigner to
33 create new keys for all of the new zones that maketestzone creates.
34 Thus, the first run of maketestzone should look like:
35 First Time:
37 maketestzone -k [OTHER DESIRED OPTIONS]
38 After that, the generated zone files can be loaded and served in a test
40 server.
41 Once every 30 days (by default via zonesigner) the script will need to
43 be rerun to recreate the records and resign the data so the signature
44 date stamps remain valid (or in some cases invalid).
45 Every 30 days:
47 maketestzone [OTHER DESIRED OPTIONS]
48
50 Below are thoe options that are accepted by the maketestzone tool.
51 Output File Naming:
53 -o STRING
55 --output-file-prefix=STRING
56 Output prefix to use for zone files (default = db.)
57 -O STRING
59 --output-suffix-signed-file=STRING
60 Output suffix to be given to zonesigner (default = .zs)
61 -M STRING
63 --output-modified-file=STRING
64 Output suffix for the modified zone file (default = .modified)
65 -D
67 --run-donuts
68 Run donuts on the results
69 --donuts-output-suffix=STRING
71 The file suffix to use for donuts output (default = .donuts)
72 Output Zone Information:
74 -d STRING
76 --domain=STRING
77 domain name to generate records for
78 --ns=STRING
80 --name-servers=STRING
81 -n STRING
82 Comma separated name=addr name-server records
83 --a-addr=STRING
85 --a-record-address=STRING
86 A record (IPv4) address to use in data
87 --aaaa-addr=STRING
89 --a-record-address=STRING
90 AAAA record (IPv6) address to use in data
91 Output Data Type Selection:
93 -p STRING
95 --record-prefixes=STRING
96 Comma separated list of record prefixes to use
97 -P STRING
99 --ns-prefixes=STRING
100 Comma separated list of NS record prefixes to use
101 -c
103 --no-cname-records
104 Don't create CNAME records
105 -s
107 --no-ns-records
108 Don't create sub-zone records
109 Task Selection:
111 -g
113 --dont-generate-zone
114 Do not generate the zone; use the existing and sign/modify it
115 -z
117 --dont-run-zonesigner
118 Do not run zonesigner to sign the records
119 -Z
121 --dont-destroy
122 Do not destroy the records and leave them properly signed
123 --bind-config=STRING
125 Generate a bind configuration file snippit to load the DB sets
126 --html-out=STRING
128 Generate a HTML page containing a list of record names
129 --apache-out=STRING
131 Generate a Apache config snippit for configuring apache for each
132 zone record
133 --sh-test-out=STRING
135 Generate a test script for running dig commands
136 -v
138 --verbose
139 Verbose output
140 Zonesigner Configuration:
142 -a STRING
144 --zonesigner-arguments=STRING
145 Arguments to pass to zonesigner
146 -k
148 --generate-keys
149 Have zonesigner generate needed keys
150 Bind Configuration Options
152 --bind-db-dir=STRING
154 The base directory where the bind DB files will be placed
155 HTML Output Configuration
157 --html-out-add-links
159 Make each html record name a http link to that address
160 --html-out-add-db-links
162 Add a link to each of the generated DB files.
163 --html-out-add-donuts-links
165 Add a link to each of the generated donuts error list files.
166 SH Test Script Configuration Options
168 --sh-test-resolver=STRING
170 The resolver address to force
171 Help Options
173 -h Display a help summary (short flags preferred)
175 --help
177 Display a help summary (long flags preferred)
178 --help-full
180 Display all help options (both short and long)
181 --version
183 Display the script version number.
184
186 The following section discusses how to extend the maketestzone tool
187 with new output modifications.
188 ADDING LEGEND INFORMATION
190 For the legend HTML output, the %LegendInformation hash contains a key‐
192 name and description for each modification type.
193 ADDING NEW SUBZONE DIFFERENCES
195 The %zonesigner_domain_opts hash lists additional arguments between how
197 zonesigner is called for various sub-domains. Thus you can create
198 additional sub-zones with different zonesigner optionns to test other
199 operational parameters between parent and child. For example:
200 'rollzsk-ns.' . $opts{'d'} => '-rollzsk',
202 Forces the rollzsk-ns test sub-zone to roll it's zsk when the zone is
204 signed.
205 ADDING NEW RECORD MODIFICATIONS
207 Maketestzone is in early development stages but already has the begin‐
209 nings of an extnesible system allowing you to modify records at will
210 based on regexp => subroutine hooks.
211 To add a new modification, add a new keyword to the 'p' and optionally
213 'P' default flags (or add it at run time), and then add a new function
214 to the list of callbacks defined in the %destroyFunctions hash that is
215 based on your new keyword. When the file is getting parsed and hits a
216 record matching your expression, your functional will be called. Argu‐
217 ments can be added to the function by passing an array reference where
218 the first argument is the subroutine to be called, and the remainder
219 are additional arguments. Output lines should be printed to the $fh
220 file handle.
221 Here's an example function that deletes the RRSIG signature of the next
223 record:
224 sub delete_signature {
226 # the first 2 arguments are always passed; the other was in the
227 # array refeence the subroutine was registered with.
228 my ($name, $type, $expr) = @_;
229 Verbose(" deleting signatures of $_[0]");
231 # print the current line
233 print $fh $_;
234 my $inrec = 0;
236 while (<I>) {
237 # new name record means we're done.
238 last if /^\w/;
239 # we're in a multi-line rrsig record
241 $inrec = 1 if (/$expr\s+$type/);
242 # print the line if we're not in the rrsig record
244 print $fh $_ if (!$inrec);
245 # when done with the last line of the rrsig record, mark this spot
247 $inrec = 0 if (/\)/);
248 }
249 }
250 This is then registered within %destroyFunctions. Here's an example of
252 registering the function to delete the signature on a DS record:
253 '^(nosig[-\w]+).*IN\s+NS\s+' => [\&delete_signature, 'DS', 'RRSIG'],
255
257 Copyright 2004-2007 SPARTA, Inc. All rights reserved. See the COPYING
258 file included with the DNSSEC-Tools package for details.
259
261 Wes Hardaker <hardaker@users.sourceforge.net>
262
264 Net::DNS
265 http://dnssec-tools.sourceforge.net
267 zonesigner(1), donuts(1)
269perl v5.8.8 2007-09-14 MAKETESTZONE(1)