[dns-operations] Offline DNSSEC Validation

John Levine johnl at taugh.com
Mon Apr 1 20:28:47 UTC 2024

According to Rithvik Vibhu <rithvikvibhu at gmail.com>:
>Does anyone know of an existing library that only does DNSSEC validation
>without resolution? Preferably in go, but any other language will do at
>least as reference.

The dnspython library has a validation routine that takes an rrset, a
signature, and a set of dnskeys and tells you whether the signature is
good. If you want to follow the DS chain you'll have to do that
yourself but having just written a stunt DNSSEC signing server, I can
say that the code to do the chaining would not be hard.

John Levine, johnl at taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

More information about the dns-operations mailing list