[dns-operations] DNSSEC validation using DS records as trust anchors

Casey Deccio casey at deccio.net
Tue Jan 3 17:40:31 UTC 2017


> On Jan 3, 2017, at 9:50 AM, Emil Natan <e at foowatch.com> wrote:
> 
> I'm looking for DNSSEC validation tool/library (ideally PHP/Python/shell) which can perform validation on a DNSKEY record using trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data update, then it uses this data and the DNSKEY RRSet from the authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.

This isn't exactly what you were looking for, but DNSViz [1] has commands for checking a new DS RRset against DNSKEYs currently deployed on authoritative servers.

dnsviz probe -A -N example.com:a.iana-servers.net,b.iana-servers.net -D example.com:dsset-example.com. -R dnskey example.com > foo.json

This tests the DS records for example.com found in dsset-example.com. against the DNSKEY records deployed on servers authoritative for example.com (Note that at the moment the -N argument is required to supply the delegation NS names and glue addresses, if necessary.  This will probably be simplified in a future release.)

The result can then be assessed using one of the following:

dnsviz print < foo.json
dnsviz graph -Thtml -O < foo.json
dnsviz grok -lwarning < foo.json

Or it can be done together:

dnsviz probe -A -N example.com:a.iana-servers.net,b.iana-servers.net -D example.com:dsset-example.com. -R dnskey example.com | dnsviz print

Cheers,
Casey

[1] https://github.com/dnsviz/dnsviz



More information about the dns-operations mailing list