Skip to content
pawal edited this page Jun 29, 2012 · 4 revisions

dnssec-analysis is a number of scripts to generate lists, do data collection, and perform analysis on DNSSEC signed domains.

No installation is needed, you can run the tools as is as long as you have installed the dependencies.

Typical usage is to have a number of domains to analyze. For a typical large zone as from a TLD, you can extract all domains with a secure delegation (DS record), and generate a list of those DNSSEC domains:

Generate a list of DNSSEC domains from a zone file:

cleanzone.pl -f zonefile.txt > signed.txt

Or you can manually compile a list of zones to analyze, it is just a newline separated list of names in a text file.

Perform data collection

To perform the data collection you can run the collect.pl command and feed it the list of names you want to analyze:

collect.pl -f domainlist.txt -d output-directory

This will take a while depending on the number of domains in the list. The queue.sh shell script calls burnds.pl command as fast as possible, launching many parallel instances (limited by the MAXPROCS variable in the script) - and this will probably put a high load on your machine. Make sure you are using a resolver (configured in the burnds.json file) that is close to the machine you are using to achieve higher performance.

collect.pl will create a directory with the name of the -d directive and will stored JSON files for each domain in it. (Example: collect.pl usage)

Perform analysis

You can analyze the collected data in a number of ways. To see if any of the queries have failed or other problems, use the --rcode switch:

analyze.pl -d directory --rcode
Running analysis  
A:NOERROR: 7  
DNSKEY:NOERROR: 7  
MX:NOERROR: 7  
NSEC3PARAM:NOERROR: 7  
SOA:NOERROR: 7

The above shows you an analysis with no errors in it.

There are more ways to analyze the data, use the --help switch to see all possible analyzers. You can run multiple analyzers in the same command.

Clone this wiki locally