[dns-operations] DNSSEC validation using DS records as trust anchors

Anand Buddhdev anandb at ripe.net
Tue Jan 3 17:24:07 UTC 2017

On 03/01/2017 17:50, Emil Natan wrote:

Shalom Emil!

> I'm looking for DNSSEC validation tool/library (ideally
> PHP/Python/shell) which can perform validation on a DNSKEY record using
> trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data
> update, then it uses this data and the DNSKEY RRSet from the
> authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.

You can use Zonemaster for this. You install the software, and then you
can use zonemaster-cli to perform such a test. If you install the GUI,
you can also run such a test from a web browser.

However, Zonemaster is quite heavy, and has many dependencies. Another
alternative is Casey Deccio's dnsviz, which is written in Python, and
quite easy to install into a virtualenv. You can use it from the
command-line, and give it NS and DS records, and it will look these up
and do validation, and then generate graphs of the results.

Anand Buddhdev

More information about the dns-operations mailing list