Re: [dns-operations] Offline DNSSEC Validation
According to Rithvik Vibhu : >Does anyone know of an existing library that only does DNSSEC validation >without resolution? Preferably in go, but any other language will do at >least as reference. The dnspython library has a validation routine that takes an rrset, a signature, and a set of dnskeys and tells you whether the signature is good. If you want to follow the DS chain you'll have to do that yourself but having just written a stunt DNSSEC signing server, I can say that the code to do the chaining would not be hard. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Offline DNSSEC Validation
On Mon, Apr 1, 2024 at 10:37 AM Rithvik Vibhu wrote: > Hi, > > I'm looking for a good way to validate DNSSEC for a chain of records, > offline. I mean: given a list of records including all RRSIGs, NSECs, > etc.), verify that all the signatures match and the whole trust chain leads > to a trust anchor. > > I've seen a few libraries, but at least in golang, most packages either > don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC > validation is tightly integrated with the recursor code that handles > querying for any required records. > > Does anyone know of an existing library that only does DNSSEC validation > without resolution? Preferably in go, but any other language will do at > least as reference. > I'm not aware of anything in Go, but getdns (in C) has the function getdns_validate_dnssec() which can do this: https://getdnsapi.net/documentation/spec/#7-more-helper-functions (Code in https://github.com/getdnsapi/getdns/blob/develop/src/dnssec.c ) Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Offline DNSSEC Validation
Hi, I'm looking for a good way to validate DNSSEC for a chain of records, offline. I mean: given a list of records including all RRSIGs, NSECs, etc.), verify that all the signatures match and the whole trust chain leads to a trust anchor. I've seen a few libraries, but at least in golang, most packages either don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC validation is tightly integrated with the recursor code that handles querying for any required records. Does anyone know of an existing library that only does DNSSEC validation without resolution? Preferably in go, but any other language will do at least as reference. Thanks, Rithvik Vibhu ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations