Provided by: dnssec-tools_2.0-1_all bug

NAME

       generaterecords - generates a test dnssec zone that can be used to DNSSEC

SYNOPSIS

       generaterecords -v -d mytestzone.example.com

DESCRIPTION

       The generaterecords script generates a zone file, given a domain name, which is then
       signed and modified to invalidate portions of the data in particular ways.  Each generated
       record is named appropriately to how the security data is modified (the gooda record will
       contain a A record with valid DNSSEC data, but the badseca record will contain an A record
       where the signature has been modified to invalidate it).

       The results of this process can then be served and test secure validators, applications,
       and other software can be thrown at it to see if they properly fail or succeed under the
       dns security policies being deployed.

       After the files are generated, consider running donuts on them to see how the data in them
       has been tampered with to be invalid.

PRE-REQUISITES

       zonesigner from the dnssec-tools project bind software 9.3.1 or greater

GETTING STARTED

       To get started creating a new zone, you'll need to tell zonesigner to create new keys for
       all of the new zones that maketestzone creates.  Thus, the first run of maketestzone
       should look like:

       First Time:
           maketestzone -k [OTHER DESIRED OPTIONS]

       After that, the generated zone files can be loaded and served in a test server.

       Once every 30 days (by default via zonesigner) the script will need to be rerun to
       recreate the records and resign the data so the signature date stamps remain valid (or in
       some cases invalid).

       Every 30 days:
           maketestzone [OTHER DESIRED OPTIONS]

OPTIONS

       Below are thoe options that are accepted by the maketestzone tool.

   Output File Naming:
       -o STRING
       --output-file-prefix=STRING
           Output prefix to use for zone files (default = db.)

       -O STRING
       --output-suffix-signed-file=STRING
           Output suffix to be given to zonesigner (default = .zs)

       -M STRING
       --output-modified-file=STRING
           Output suffix for the modified zone file (default = .modified)

       -D
       --run-donuts
           Run donuts on the results

       --donuts-output-suffix=STRING
           The file suffix to use for donuts output (default = .donuts)

   Output Zone Information:
       -d STRING
       --domain=STRING
           domain name to generate records for

       --ns=STRING
       --name-servers=STRING
       -n STRING
           Comma separated name=addr name-server records

       --a-addr=STRING
       --a-record-address=STRING
           A record (IPv4) address to use in data

       --aaaa-addr=STRING
       --a-record-address=STRING
           AAAA record (IPv6) address to use in data

   Output Data Type Selection:
       -p STRING
       --record-prefixes=STRING
           Comma separated list of record prefixes to use

       -P STRING
       --ns-prefixes=STRING
           Comma separated list of NS record prefixes to use

       -c
       --no-cname-records
           Don't create CNAME records

       -s
       --no-ns-records
           Don't create sub-zone records

   Task Selection:
       -g
       --dont-generate-zone
           Do not generate the zone; use the existing and sign/modify it

       -z
       --dont-run-zonesigner
           Do not run zonesigner to sign the records

       -Z
       --dont-destroy
           Do not destroy the records and leave them properly signed

       --bind-config=STRING
           Generate a bind configuration file snippit to load the DB sets

       --html-out=STRING
           Generate a HTML page containing a list of record names

       --apache-out=STRING
           Generate a Apache config snippit for configuring apache for each zone record

       --sh-test-out=STRING
           Generate a test script for running dig commands

       -v
       --verbose
           Verbose output

   Zonesigner Configuration:
       -a STRING
       --zonesigner-arguments=STRING
           Arguments to pass to zonesigner

       -k
       --generate-keys
           Have zonesigner generate needed keys

   Bind Configuration Options
       --bind-db-dir=STRING
           The base directory where the bind DB files will be placed

   HTML Output Configuration
       --html-out-add-links
           Make each html record name a http link to that address

       --html-out-add-db-links
           Add a link to each of the generated DB files.

       --html-out-add-donuts-links
           Add a link to each of the generated donuts error list files.

   SH Test Script Configuration Options
       --sh-test-resolver=STRING
           The resolver address to force

   Help Options
       -h  Display a help summary (short flags preferred)

       --help
           Display a help summary (long flags preferred)

       --help-full
           Display all help options (both short and long)

       --version
           Display the script version number.

ADDING NEW OUTPUT

       The following section discusses how to extend the maketestzone tool with new output
       modifications.

   ADDING LEGEND INFORMATION
       For the legend HTML output, the %LegendInformation hash contains a keyname and description
       for each modification type.

   ADDING NEW SUBZONE DIFFERENCES
       The %zonesigner_domain_opts hash lists additional arguments between how zonesigner is
       called for various sub-domains.  Thus you can create additional sub-zones with different
       zonesigner optionns to test other operational parameters between parent and child.  For
       example:

          'rollzsk-ns.' . $opts{'d'} => '-rollzsk',

       Forces the rollzsk-ns test sub-zone to roll it's zsk when the zone is signed.

   ADDING NEW RECORD MODIFICATIONS
       Maketestzone is in early development stages but already has the beginnings of an
       extnesible system allowing you to modify records at will based on regexp => subroutine
       hooks.

       To add a new modification, add a new keyword to the 'p' and optionally 'P' default flags
       (or add it at run time), and then add a new function to the list of callbacks defined in
       the %destroyFunctions hash that is based on your new keyword.  When the file is getting
       parsed and hits a record matching your expression, your functional will be called.
       Arguments can be added to the function by passing an array reference where the first
       argument is the subroutine to be called, and the remainder are additional arguments.
       Output lines should be printed to the $fh file handle.

       Here's an example function that deletes the RRSIG signature of the next record:

         sub delete_signature {
             # the first 2 arguments are always passed; the other was in the
             # array refeence the subroutine was registered with.
             my ($name, $type, $expr) = @_;

             Verbose("  deleting signatures of $_[0]");

             # print the current line
             print $fh $_;

             my $inrec = 0;
             while (<I>) {
               # new name record means we're done.
               last if /^\w/;

               # we're in a multi-line rrsig record
               $inrec = 1 if (/$expr\s+$type/);

               # print the line if we're not in the rrsig record
               print $fh $_ if (!$inrec);

               # when done with the last line of the rrsig record, mark this spot
               $inrec = 0 if (/\)/);
             }
         }

       This is then registered within %destroyFunctions.  Here's an example of registering the
       function to delete the signature on a DS record:

          '^(nosig[-\w]+).*IN\s+NS\s+' => [\&delete_signature, 'DS', 'RRSIG'],

COPYRIGHT

       Copyright 2004-2013 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.

AUTHOR

       Wes Hardaker <hardaker@users.sourceforge.net>

SEE ALSO

       Net::DNS

       http://dnssec-tools.sourceforge.net

       zonesigner(1), donuts(1)