[dns-operations] Offline DNSSEC Validation

Shumon Huque shuque at gmail.com
Mon Apr 1 19:29:35 UTC 2024


On Mon, Apr 1, 2024 at 10:37 AM Rithvik Vibhu <rithvikvibhu at gmail.com>
wrote:

> Hi,
>
> I'm looking for a good way to validate DNSSEC for a chain of records,
> offline. I mean: given a list of records including all RRSIGs, NSECs,
> etc.), verify that all the signatures match and the whole trust chain leads
> to a trust anchor.
>
> I've seen a few libraries, but at least in golang, most packages either
> don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC
> validation is tightly integrated with the recursor code that handles
> querying for any required records.
>
> Does anyone know of an existing library that only does DNSSEC validation
> without resolution? Preferably in go, but any other language will do at
> least as reference.
>

I'm not aware of anything in Go, but getdns (in C) has the function
getdns_validate_dnssec() which can do this:

https://getdnsapi.net/documentation/spec/#7-more-helper-functions

(Code in https://github.com/getdnsapi/getdns/blob/develop/src/dnssec.c )

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240401/87686d4b/attachment.html>


More information about the dns-operations mailing list