[dns-operations] DNSSEC validation using DS records as trust anchors

Hugo Salgado-Hernández hsalgado at nic.cl
Wed Jan 4 12:33:05 UTC 2017

Hi Emil.
You can use "drill" command (part of ldns-utils in some distros)
and chase a signature with a given trust anchor:

% drill -S -k ds-file-requested @n.vulcano.cl vulcano.cl dnskey
;; Number of trusted keys: 2
;; Chasing: vulcano.cl. DNSKEY

DNSSEC Trust tree:
vulcano.cl. (DNSKEY)
|---vulcano.cl. (DNSKEY keytag: 4379 alg: 7 flags: 256)
|---vulcano.cl. (DNSKEY keytag: 15345 alg: 7 flags: 257)
;; Chase successful



On 11:50 03/01, Emil Natan wrote:
> Hello,
> I'm looking for DNSSEC validation tool/library (ideally PHP/Python/shell) which can perform validation on a DNSKEY record using trust anchor provided as DS record.
> The use case is Registry receives request for DS delegation data update, then it uses this data and the DNSKEY RRSet from the authoritative servers to validate the DNSKEY RRSIG.
> Any recommendations will be much appreciated. Thank you in advance.
> Emil

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20170104/107e9120/attachment.sig>

More information about the dns-operations mailing list