[dns-operations] DNSSEC validation using DS records as trust anchors
casey at deccio.net
Tue Jan 3 17:40:31 UTC 2017
> On Jan 3, 2017, at 9:50 AM, Emil Natan <e at foowatch.com> wrote:
> I'm looking for DNSSEC validation tool/library (ideally PHP/Python/shell) which can perform validation on a DNSKEY record using trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data update, then it uses this data and the DNSKEY RRSet from the authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.
This isn't exactly what you were looking for, but DNSViz  has commands for checking a new DS RRset against DNSKEYs currently deployed on authoritative servers.
dnsviz probe -A -N example.com:a.iana-servers.net,b.iana-servers.net -D example.com:dsset-example.com. -R dnskey example.com > foo.json
This tests the DS records for example.com found in dsset-example.com. against the DNSKEY records deployed on servers authoritative for example.com (Note that at the moment the -N argument is required to supply the delegation NS names and glue addresses, if necessary. This will probably be simplified in a future release.)
The result can then be assessed using one of the following:
dnsviz print < foo.json
dnsviz graph -Thtml -O < foo.json
dnsviz grok -lwarning < foo.json
Or it can be done together:
dnsviz probe -A -N example.com:a.iana-servers.net,b.iana-servers.net -D example.com:dsset-example.com. -R dnskey example.com | dnsviz print
More information about the dns-operations