[dns-operations] DNSSEC validation using DS records as trust anchors

Anand Buddhdev anandb at ripe.net
Tue Jan 3 17:24:07 UTC 2017


On 03/01/2017 17:50, Emil Natan wrote:

Shalom Emil!

> I'm looking for DNSSEC validation tool/library (ideally
> PHP/Python/shell) which can perform validation on a DNSKEY record using
> trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data
> update, then it uses this data and the DNSKEY RRSet from the
> authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.

You can use Zonemaster for this. You install the software, and then you
can use zonemaster-cli to perform such a test. If you install the GUI,
you can also run such a test from a web browser.

However, Zonemaster is quite heavy, and has many dependencies. Another
alternative is Casey Deccio's dnsviz, which is written in Python, and
quite easy to install into a virtualenv. You can use it from the
command-line, and give it NS and DS records, and it will look these up
and do validation, and then generate graphs of the results.

Regards,
Anand Buddhdev
RIPE NCC



More information about the dns-operations mailing list