A. Zone Administrators
A.1. Name Servers
| BIND
|
Authoritative, validating,
recursive, and caching open source name server implementation
|
ISC
|
http://www.isc.org
|
| NSD
|
Authoritative only, open source
name server
|
NLNet Labs
|
http://www.nlnetlabs.nl/nsd
|
| UNBOUND
|
Validating, recursive and
caching open source name server
|
NLNet Labs, Verisign, Nominet,
Kirei
|
http://unbound.net/
|
| ANS
|
Authoritative name server
|
Nominum, Inc.
|
http://www.nominum.com
|
| CNS
|
Recursive name server
|
Nominum, Inc
|
http://www.nominum.com
|
A.2. Key Generation and Zone Signing
| dnssec-keygen, dnssec-signzone
|
Standard tools provided with the
BIND distribution
|
ISC
|
http://www.isc.org
|
| nom_keytool, ans_signer
|
Standard tools provided with the
ANS distribution
|
Nominum
|
http://www.nominum.com
|
| jdnssec-keygen, jdnssec-signzone
|
Tools from the jdnssec-tools
suite
|
Verisign Labs
|
http://www.verisignlabs.com/dnssec-tools/
|
| ldns-keygen, ldns-signzone
|
Tools from the ldns tool suite
|
NLNet Labs
|
http://www.nlnetlabs.nl/ldns/
|
| pdnssec-keygen,
pdnssec-signzone,
|
Tools from the DNSSEC perltools
distribution
|
Roy Arends
|
http://www.nsec3.org/cgi-bin/trac.cgi/browser/dnssec/perltools/
|
| zonesigner
|
Wrapper around BIND tools,
available in the dnssec-tools suite
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Zonesigner
|
| dnssec-zkt and dnssec-signer
|
Wrapper around BIND tools
|
HZNET
|
http://www.hznet.de/dns/zkt/
|
| ldns-zsplit and ldns-zcat
|
Tool from the ldns package for
enabling parallel signing a large zone
|
NLNetLabs
|
http://www.nlnetlabs.nl/ldns/
|
| maintkeydb, dnssigner
|
Tools from the DNSSEC Key
Management Tools suite
|
RIPE NCC
|
https://www.ripe.net/projects/disi/dnssec_maint_tool/
|
A.3. Key Rollover
| Rollerd and rollctl
|
Tool from the dnssec-tools
package for managing different phases of ZSK and KSK rollover
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Rollerd
|
| Maintkeydb
|
Command line interface to a
database containing DNSSEC Keys
|
RIPE NCC
|
https://www.ripe.net/projects/disi/dnssec_maint_tool/
|
A.4. Hardware Related
| DNSSEC Smartcard Utility
|
Supports operations for storing
keys to Any PKCS#15 smartcard supported by OpenSC and exporting them as
DNSSEC records
|
.SE
|
http://opensource.iis.se/trac/dnssec/browser/pkcs15-dnssec
|
| pkcs11HSMtools
|
Modifications to BIND for native
PKCS-11 HSM support
|
IANA
|
http://www.xtcn.com/~lamb/pkcs11HSMtools.tar.gz
|
| Software for interfacing with
crypto hardware
|
EVP Perl Implementation
|
Nominet
|
http://www.nominet.com
|
| DNSSEC Appliance
|
A secured appliance that can be
used as an automation engine for DNSSEC management tasks
|
Secure64
|
http://www.secure64.com/products.shtml
|
| dnsX
|
An appliance containing a secure
signer, caching resolver and authoritative name server
|
Xelerance
|
http://www.xelerance.com/
|
A.5. Zone Troubleshooting
| SZIT monitor extension
|
Tests the zone contents against
best common practices and overall security
|
NIST
|
http://snad.ncsl.nist.gov/dnssec/
|
| donuts and donutsd
|
A dnslint like application
available in the dnssec-tools suite, for analyzing zone files.
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Donuts
|
| Mapper
|
Tool in the dnssec-tools suite
that maps DNS realms, color coding the results to allow for easy visual
interpretation of the results
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Mapper
|
| jdnssec-verifyzone
|
Verifies all of the signatures
in a zone for cryptographic validity
|
Verisign Labs
|
http://www.verisignlabs.com/dnssec-tools/
|
| named-checkzone
|
Standard tool provided with the
BIND distribution
|
ISC, BIND
|
http://www.isc.org
|
B. Secure Delegation Registration
B.1 Creation of DS Information
| dnssec-dstool
|
simple tool for generating DS
(or DLV) records from DNSKEY records
|
Verisign Labs
|
http://www.verisignlabs.com/dnssec-tools/
|
| ldns-key2dns
|
DNSKEY to DS conversion
|
NLNet Labs
|
http://www.nlnetlabs.nl/ldns/
|
| Key2ds, Net::DNS::Sec
|
DNSKEY to DS conversion
|
Olaf Kolkman
|
http://www.net-dns.org/
|
B.2 Updating DS from Child to Parent
| Regsoft
|
Front-end for updating contents
of a registry
|
Shinkuro, Inc
|
|
| CADR
|
registrar software that can move
keys from sub-zones to parent zones
|
Afilias, Shinkuro, SPARTA, EP.net
|
http://cadr.rs.net/
|
| libepp-nicbr
|
library that partially
implements the Extensible Provisioning Protocol (EPP), as described in
the Internet Drafts RFC3730bis to RFC3734bis and RFC3735
|
NIC.br
|
http://registro.br/epp/index-EN.html
|
C. Tools for Validating Systems
C.1 Tools and Resources for Fetching DNSKEY Information
| ISC DLV registry
|
Trust Anchor Repository
constructed through explicit zone owner registration
|
ISC
|
https://secure.isc.org/index.pl?/ops/dlv/
|
| Secspider
|
Trust Anchor Repository
populated by a crawler program
|
UCLA, Colorado State
|
http://secspider.cs.ucla.edu/
|
| IKS Jena Survey
|
Trust Anchor Repository
populated by a crawler program
|
IKS Jena
|
http://www.iks-jena.de/leistungen/dnssec.php
|
| IANA TAR
|
(Currently) demo Trust Anchor
Repository for SEP keys for TLDs
|
IANA
|
https://ns.iana.org/dnssec/status.html
|
| ldns-keyfetcher
|
queries and retrieves DNSKEYs
for a given domain
|
NLNet Labs
|
http://www.nlnetlabs.nl/ldns/
|
| getdnskeys
|
Tool in the dnssec-tools suite
for fetching, comparing and remembering a list of DNSKEYs from DNS zones
|
SPARTA, Inc
|
http://www.dnssec-tools.org
|
C.2 Tools for Automated Trust Anchor Rollover
| trustman
|
Implementation of RFC 5011 for
automated rollover of trust anchors in validating resolvers. Tool
available in the dnssec-tools distribution
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Trustman
|
C.3 Troubleshooting
| dig
|
Standard tool provided with the
BIND software
|
ISC
|
http://www.isc.org
|
| drill
|
Debugging/query tool for DNSSEC,
similar to dig
|
NLNet Labs
|
http://www.nlnetlabs.nl/ldns/
|
| validate
|
A tool that helps determine the
validation status for a DNS record and the reasons for validation
failure if any
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Validate
|
| dnspktflow
|
This tool, when combined with
tethereal and graphviz, can trace tcpdump/tethereal network packet
captures to visually diagram dns packet flows
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Dnspktflow
|
| Traffic Monitoring Tool
|
Tool to capture and analyze DNS
traffic to and from a name server
|
NIST
|
http://snad.ncsl.nist.gov/dnssec/
|
| dnsdump
|
Perl script that captures and
displays DNS packets seen on the network
|
The Measurement Factory
|
http://dns.measurement-factory.com/tools/dnsdump/
|
| dnscap
|
network capture utility designed
specifically for DNS traffic
|
OARCI
|
http://public.oarci.net/tools/dnscap
|
| Logwatch
|
Configuration plugin to have
logwatch perform DNSSEc parsing of system logging messages from running
BIND name serverq
|
Plugin provided by SPARTA, Inc
available in the logwatch distribution
|
http://www2.logwatch.org:81/
|
C.4 DNSSEC Capable Applications
| Firefox
|
patch that enables DNSSEC
checking of DNS lookups done with Firefox
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Firefox
|
| Thunderbird
|
patch that enables DNSSEC
validation in the Thunderbird mail app
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Thunderbird
|
| SSH
|
patch that contains support for
local DNSSEC validation for all DNS lookups
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Ssh
|
| Sendmail
|
patch for adding DNSSEC
validation support during lookups
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Sendmail
|
| Postfix
|
patch for adding DNSSEC
validation support during lookups
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Postfix
|
| libsf2
|
patch for adding DNSSEC
validation support during lookups and adding a new field in the mail
header based on the results of the checks
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/LibSPF
|
| wget
|
patch to enable DNSSEC
validation in wget
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Wget
|
| ncftp
|
patch to enable DNSSEC
validation during lookups
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Ncftp
|
| proftpd
|
patch to enable DNSSEC
validation during lookups
|
SPARTA, Inc
|
http://www.dnssec-tools.org/wiki/index.php/Proftpd
|
D. Developer Resources
D.1 Validation Libraries for Applications
| libval
|
A C library that provides
interfaces for name lookup with DNSSEC validation support.
|
SPARTA, Inc
|
http://www.dnssec-tools.org/docs/tool-description/libval.html
|
| libval_shim
|
LD_PRELOAD-based approach for
transparently adding DNSSEC capability to existing applications
|
SPARTA, Inc
|
http://www.dnssec-tools.org/docs/tool-description/libval_shim.html
|
| ldns library
|
A C library that provides
validation capability
|
NLNet Labs
|
http://www.nlnetlabs.nl/ldns/
|
| libunbound
|
A C library that can be linked
against applications to provide validation capability
|
NLNet Labs, Verisign, Nominet,
Kirei
|
http://unbound.net/
|
D.2 Perl SDKs
| Net::DNS::SEC
|
Extension to Net::DNS with
DNSSEC functionality
|
RIPE NCC
|
http://www.net-dns.org/
|
| Net::DNS::SEC::Tools
|
Tools and modules that provide
zone signing and key management configuration utilities.
|
SPARTA Inc
|
http://www.dnssec-tools.org/
|
| Net::DNS::ZoneFile::Fast
|
provides the ability to parse
zone files that BIND8 and BIND9 use, fast.
|
Anton Berezin and SPARTA, Inc
|
http://search.cpan.org/dist/Net-DNS-ZoneFile-Fast/Fast.pm
|
D.3 Validator API
| DNSSEC Validator API
|
Proposed API between
applications and security aware validating stub resolvers
|
SPARTA Inc
|
http://tools.ietf.org/id/draft-hayatnagarkar-dnsext-validator-api-06.txt
|
| libunbound API
|
API provided by the libunbound
library
|
NLNet Labs, Verisign, Nominet,
Kirei
|
http://www.unbound.net/documentation/index.html
|
D.4 Testing Resources
| maketestzone
|
useful for generating test data
which DNSSEC aware software can be tested against
|
SPARTA, Inc
|
http://www.dnssec-tools.org
|
| Querysim
|
A DNS traffic replay tool
|
NIST
|
http://snad.ncsl.nist.gov/dnssec/
|
| Packet Server
|
A tool that helps crafting
packets with various settings to test the behavior of validating
resolvers
|
Roy Arends
|
http://www.nsec3.org/cgi-bin/trac.cgi/browser/dnssec/perltools/
|
E. Deployment Aids
E.1 Operator Guidance Documentation
| NIST Special Publication 800-81
|
Recommendations of the National
Institute of Science and Technology, Deployment Guide
|
NIST
|
http://csrc.nist.gov/publications/nistpubs/
|
| RFC 4641
|
DNSSEC Operational Practices
|
IETF
|
http://www.ietf.org/rfc/rfc4641.txt
|
| Step-by-Step guides
|
Guides for signed zone operation
|
SPARTA, Inc
|
http://www.dnssec-tools.org/resources/documentation.html
|
| DNSSEC Howto
|
A tutorial in disguise
|
NLNet Labs
|
http://www.nlnetlabs.nl/dnssec_howto/
|
|
|
|
