[dns-operations] DNSSEC validation using DS records as trust anchors

Tony Finch dot at dotat.at
Tue Jan 3 20:52:46 UTC 2017

Emil Natan <e at foowatch.com> wrote:


> I'm looking for DNSSEC validation tool/library (ideally
> PHP/Python/shell)
> which can perform validation on a DNSKEY record using trust anchor

> provided as DS record.

This probably doesn't solve enough of your problem, but you can use
BIND's dnssec-dsfromkey or ldns's key2ds programs. Convert each KSK to a
DS using either of these programs, and check that one matches the DS
from the parent zone.



f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--
  zr8h punycode

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170103/16d42a60/attachment.html>

More information about the dns-operations mailing list