I am working on a DNSSEC validator in Python, using the dnspython library,
and I have hit a snag. I need to get the RR set of RRSIG records for a
domain name, then compare their signature tags to valid DNSKEYs. The
problem is, every time I request a RRSIG record set, I get a NoAnswer
response, even if I know for a fact they are there. I have seen this come
up several times over the years on this mailing list's history, but no real
solution ever came up. One suggestion was to force transfer the zone and
search it for RRSET records, which is impossible for 99% of the secure
domains out there. Can anyone help me? Here is the method I am using. It
behaves the same if you comment out the bit setting the name server.
def getRRSIGFromNS(domain_name, name_server):
'''Return the set of RRSIG records for the given domain, as obtained
from
the given server'''
resolver = dns.resolver.Resolver()
resolver.use_edns(0,dns.flags.DO,4096)
resolver.nameservers = ([name_server])
try:
response_rrsig = resolver.query(domain_name, dns.rdatatype.RRSIG,
dns.rdataclass.IN, True)
except dns.resolver.NoAnswer:
print 'no answer returned'
return None
except dns.resolver.NXDOMAIN:
print 'NXDOMAIN'
return None
return response_rrsig
--
Adam Portier
_______________________________________________
dnspython-users mailing list
[email protected]
http://howl.play-bow.org/mailman/listinfo/dnspython-users
