[dns-operations] DNSSEC validation using DS records as trust anchors
Hugo Salgado-Hernández
hsalgado at nic.cl
Wed Jan 4 12:33:05 UTC 2017
Hi Emil.
You can use "drill" command (part of ldns-utils in some distros)
and chase a signature with a given trust anchor:
% drill -S -k ds-file-requested @n.vulcano.cl vulcano.cl dnskey
;; Number of trusted keys: 2
;; Chasing: vulcano.cl. DNSKEY
DNSSEC Trust tree:
vulcano.cl. (DNSKEY)
|---vulcano.cl. (DNSKEY keytag: 4379 alg: 7 flags: 256)
|---vulcano.cl. (DNSKEY keytag: 15345 alg: 7 flags: 257)
;; Chase successful
Best,
Hugo
On 11:50 03/01, Emil Natan wrote:
> Hello,
>
> I'm looking for DNSSEC validation tool/library (ideally PHP/Python/shell) which can perform validation on a DNSKEY record using trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data update, then it uses this data and the DNSKEY RRSet from the authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.
>
> Emil
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170104/107e9120/attachment.sig>
More information about the dns-operations
mailing list