On Mon, Jul 16, 2012 at 8:20 AM, Adam Portier <[email protected]> wrote:
> I am working on a DNSSEC validator in Python, using the dnspython library,
> and I have hit a snag. I need to get the RR set of RRSIG records for a
> domain name, then compare their signature tags to valid DNSKEYs.
Hi Adam,
By setting the DO bit of the EDNS flags you are requesting that the server
send you any DNSSEC-related RRsets, including RRSIGs. While I'm unfamiliar
with your application in general, it's unclear to me why you would need to
query for RRSIGs directly, rather than just using the ones that would come
in the response to a query with the DO bit set. You can retrieve that
RRSIG by modifying your code a bit. You'll probably want to restructure as
well. See sample code below for an example.
import dns.flags
import dns.resolver
import dns.rdatatype
import dns.rdataclass
name_server = '192.0.2.1'
domain_name = dns.name.from_text('.')
rdtype = dns.rdatatype.DNSKEY
resolver = dns.resolver.Resolver()
resolver.use_edns(0,dns.flags.DO,4096)
resolver.nameservers = ([name_server])
try:
response = resolver.query(domain_name, rdtype, dns.rdataclass.IN,
True).response
rrsig_rrset = response.find_rrset(response.answer, domain_name,
dns.rdataclass.IN, dns.rdatatype.RRSIG, rdtype)
print rrsig_rrset
except dns.resolver.NoAnswer:
print 'no answer returned'
except dns.resolver.NXDOMAIN:
print 'NXDOMAIN'
Casey
_______________________________________________
dnspython-users mailing list
[email protected]
http://howl.play-bow.org/mailman/listinfo/dnspython-users
