DoT: recursive resolver -> sld authoritative server
random domain: https://www.ipvoid.com/random-domain/
tlsa: https://www.huque.com/bin/gen_tlsa
wdns: https://github.com/farsightsec/wdns
sudo pacman -S getdns stunnel bind9 opessl
mkdir /var/named/master
chgrp named /var/named/master
cd /var/named/master
dnssec-keygen -a ECDSAP256SHA256 example.com
dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
dnssec-signzone -K /var/named/master/ -S -g -o example.com -f example.com.zone.signed.nsec example.com.zone
dnssec-signzone -K /var/named/master/ -S -g -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N INCREMENT -o example.com -f example.com.zone.signed.nsec3 example.com.zone
compressed test zone files: var/master.tgz
dot_client -> dot_server (853) -> bind9 auth (8853)
for example: /var/named/master/example.com.zone.100.signed.compact
named -g
sudo tshark -f "port 853" -i any -w dot.100.cap
./dot_server
./dot_client resource/subdom_100.txt
tshark -r dot.100.cap -Y "(tcp.srcport==853) or (tcp.dstport==853)" -T fields -e tcp.srcport -e tcp.dstport -e frame.len
dnssec_client -> bind9 auth (8853)
for example: /var/named/master/example.com.zone.100.signed.nsec
named -g
sudo tshark -f "port 8853" -i any -w dnssec.nsec.100.cap
./dnssec_client resource/subdom_100.txt
dnssec_client -> bind9 auth (8853)
for example: /var/named/master/example.com.zone.100.signed.nsec3
named -g
sudo tshark -f "port 8853" -i any -w dnssec.nsec3.100.cap
./dnssec_client resource/subdom_100.txt
dns_client -> bind9 auth (8853)
for example: /var/named/master/example.com.zone.100
named -g
sudo tshark -f "port 8853" -i any -w dns.100.cap
./dns_client resource/subdom_100.txt