[dns-operations] Offline DNSSEC Validation

Rithvik Vibhu rithvikvibhu at gmail.com
Sun Mar 31 16:10:15 UTC 2024


I'm looking for a good way to validate DNSSEC for a chain of records,
offline. I mean: given a list of records including all RRSIGs, NSECs,
etc.), verify that all the signatures match and the whole trust chain leads
to a trust anchor.

I've seen a few libraries, but at least in golang, most packages either
don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC
validation is tightly integrated with the recursor code that handles
querying for any required records.

Does anyone know of an existing library that only does DNSSEC validation
without resolution? Preferably in go, but any other language will do at
least as reference.

Rithvik Vibhu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20240331/9eca5771/attachment.html>

More information about the dns-operations mailing list