[dns-operations] Offline DNSSEC Validation

[Rubens Kuhl]

> Em 31 de mar. de 2024, à(s) 13:10, Rithvik Vibhu <rithvikvibhu at gmail.com> escreveu:
> 
> Hi,
> 
> I'm looking for a good way to validate DNSSEC for a chain of records, offline. I mean: given a list of records including all RRSIGs, NSECs, etc.), verify that all the signatures match and the whole trust chain leads to a trust anchor.
> 
> I've seen a few libraries, but at least in golang, most packages either don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC validation is tightly integrated with the recursor code that handles querying for any required records.
> 
> Does anyone know of an existing library that only does DNSSEC validation without resolution? Preferably in go, but any other language will do at least as reference.

https://github.com/zonemaster/zonemaster
zonemaster/zonemaster: The Zonemaster Project
github.com
(uses ldns)

https://github.com/dnsviz/dnsviz
dnsviz/dnsviz
github.com
  (Uses dnspython)


Rubens




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/363e9872/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zonemaster.png
Type: image/png
Size: 77498 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/363e9872/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dnsviz.png
Type: image/png
Size: 64157 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/363e9872/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/363e9872/attachment-0001.sig>