On 7 Apr 2011, at 19:56, Brian Smith wrote: > Hello, > > I'm trying to sign a zone, however I would like to have other's users input > here, am I doing this correctly? Is there a shortcut in dnspython that I am > not seeing?
dnspython does not have any code for signing zones currently, though recent versions of dnspython do have basic code for validating signatures. If you want to make signatures, taking a look at dns.dnssec._validate_rrsig() is a good place to start. In particular, it shows how to correctly compute the digest. The code you included for generating digests was not correct. Maintaining a secure zone is complicated and tedious, which is why dnspython doesn't yet do it :) Signing the rdata is just the start of the fun. You also need do deal with NSEC and/or NSEC3, and a good solution would also deal with signature regeneration and key rollover. /Bob _______________________________________________ dnspython-users mailing list [email protected] http://howl.play-bow.org/mailman/listinfo.cgi/dnspython-users
