[dns-operations] Checking for signatures of a certain DNSKEY within a zone

Klaus Darilion klaus.mailinglists at pernau.at
Mon Jul 5 15:05:13 UTC 2021

Hi all!

In my DNSSEC key rollover processes, before deleting a key and when 
activating a key, I check if the signed zone contains signatures from 
the respective key. Up to know this was more or less:

   dig ... axfr | grep RRSIG | grep $KEYID

This worked fine for long time but when having keys with the same keyid 
this obviously does not work anymore. So I want to change my code to 
additionally check if the signature can be verified with the respective 
public key. Are there any tools (bash, php ...)  which accepts single 
RRSIG RR and single DNSKEY RR and does the validation?


More information about the dns-operations mailing list