[dns-operations] Checking for signatures of a certain DNSKEY within a zone
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Jul 5 15:05:13 UTC 2021
Hi all!
In my DNSSEC key rollover processes, before deleting a key and when
activating a key, I check if the signed zone contains signatures from
the respective key. Up to know this was more or less:
dig ... axfr | grep RRSIG | grep $KEYID
This worked fine for long time but when having keys with the same keyid
this obviously does not work anymore. So I want to change my code to
additionally check if the signature can be verified with the respective
public key. Are there any tools (bash, php ...) which accepts single
RRSIG RR and single DNSKEY RR and does the validation?
Thanks
Klaus
More information about the dns-operations
mailing list