<p dir="ltr">BIND and libdns both have tools to take a DNSKEY as input and output a DS. Then you can compare if that DS matches.</p>
<p dir="ltr">I think that is almost what you asked for? </p>
<br><div class="gmail_quote"><div dir="ltr">On Tue, 3 Jan 2017 14:00 Emil Natan, <<a href="mailto:e@foowatch.com">e@foowatch.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_msg">Hello,<br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">I'm looking for DNSSEC validation tool/library (ideally PHP/Python/shell) which can perform validation on a DNSKEY record using trust anchor provided as DS record.<br class="gmail_msg"></div><div class="gmail_msg">The use case is Registry receives request for DS delegation data update, then it uses this data and the DNSKEY RRSet from the authoritative servers  to validate the DNSKEY RRSIG.<br class="gmail_msg"></div><div class="gmail_msg">Any recommendations will be much appreciated. Thank you in advance.<br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg">Emil</div><div class="gmail_msg"><br class="gmail_msg"></div><div class="gmail_msg"><br class="gmail_msg"></div><div class="m_3806515001441997894protonmail_signature_block gmail_msg"><div class="m_3806515001441997894protonmail_signature_block-user gmail_msg"><br class="gmail_msg"></div><div class="m_3806515001441997894protonmail_signature_block-proton m_3806515001441997894protonmail_signature_block-empty gmail_msg"><br class="gmail_msg"></div></div><div class="gmail_msg"><br class="gmail_msg"></div>_______________________________________________<br class="gmail_msg">
dns-operations mailing list<br class="gmail_msg">
<a href="mailto:dns-operations@lists.dns-oarc.net" class="gmail_msg" target="_blank">dns-operations@lists.dns-oarc.net</a><br class="gmail_msg">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a><br class="gmail_msg">
dns-operations mailing list<br class="gmail_msg">
<a href="https://lists.dns-oarc.net/mailman/listinfo/dns-operations" rel="noreferrer" class="gmail_msg" target="_blank">https://lists.dns-oarc.net/mailman/listinfo/dns-operations</a></blockquote></div>