[dns-operations] Offline DNSSEC Validation

Shumon Huque shuque at gmail.com
Mon Apr 1 19:29:35 UTC 2024

On Mon, Apr 1, 2024 at 10:37 AM Rithvik Vibhu <rithvikvibhu at gmail.com>

> Hi,
> I'm looking for a good way to validate DNSSEC for a chain of records,
> offline. I mean: given a list of records including all RRSIGs, NSECs,
> etc.), verify that all the signatures match and the whole trust chain leads
> to a trust anchor.
> I've seen a few libraries, but at least in golang, most packages either
> don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC
> validation is tightly integrated with the recursor code that handles
> querying for any required records.
> Does anyone know of an existing library that only does DNSSEC validation
> without resolution? Preferably in go, but any other language will do at
> least as reference.

I'm not aware of anything in Go, but getdns (in C) has the function
getdns_validate_dnssec() which can do this:


(Code in https://github.com/getdnsapi/getdns/blob/develop/src/dnssec.c )

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/87686d4b/attachment.html>

More information about the dns-operations mailing list