Verisign jdnssec-tools

This is a collection of Java-based DNSSEC command line tools. They are intended to be an addition or replacement for the DNSSEC tools that are part of BIND 9.

These tools depend upon DNSjava, the Apache Commons CLI and Sun's Java Cryptography extensions. A copy of each of these libraries is included in the distribution. Currently, these tools use a custom version of the DNSjava library with minor modifications, which is provided.

Binary and Source packages
Binary: jdnssec-tools-0.13.tar.gz
Source: jdnssec-tools-0.13-src.tar.gz

The tools included in this package are:

jdnssec-signzone
This is a DNSSEC zone signer. It supports normal RFC 4035 signing, as well as signing using NSEC3.
jdnssec-verifyzone
This is a tool to verify a signed zone for DNSSEC correctness. This tool verifies that a zone was correctly signed. It checks that all signatures are valid, all expected signatures exist, all expected NSEC or NSEC3 records exist and are correctly formed, and that the NSEC/NSEC3 chain is correctly formed.
jdnssec-zoneformat
This is a simple tool for reformatting a zone (possibly signed by another set of tools) into a known format, to make it easier to compare zones via tools like 'diff'. This tool can also be used to annotate NSEC3 records with original ownernames (similar to the output of jdnssec-signzone.)
jdnssec-keygen
This is a DNSSEC key generation tool.
jdnssec-dstool
This is a simple tool for generating DS (or DLV) records from DNSKEY records.
jdnssec-keyinfo
This is a simple DNSKEY introspection tool.
jdnssec-signkeyset
A tool for (self) signing bare DNSKEY RRsets.
jdnssec-signrrset
A tool for signing bare RRsets with given keys.

See the Change Log for a list of recent changes.

The source for this project is also available via git on github.com: https://github.com/dblacka/jdnssec-tools. The modified DNSjava library can be found at: https://github.com/dblacka/jdnssec-dnsjava.

Elliptic Curve Support: As of version 0.13, jdnssec-tools supports ECDSAP256SHA256 (algorithm 13) and ECDSAP384SHA384 (algorithm 14) using the normal Sun crypto provider. Algorithm 12 (ECC-GOST) is supported if the "bouncycastle" crypto provider is present in the classpath. The easiest way to do that is to put the bouncycastle provider jar (fetched from http://www.bouncycastle.org/latest_releases.html) in the lib/ directory of the distribution.