On Mon, Apr 1, 2024 at 10:37 AM Rithvik Vibhu <rithvikvi...@gmail.com> wrote:
> Hi, > > I'm looking for a good way to validate DNSSEC for a chain of records, > offline. I mean: given a list of records including all RRSIGs, NSECs, > etc.), verify that all the signatures match and the whole trust chain leads > to a trust anchor. > > I've seen a few libraries, but at least in golang, most packages either > don't validate DNSSEC on their own (ex: stub resolvers) or the DNSSEC > validation is tightly integrated with the recursor code that handles > querying for any required records. > > Does anyone know of an existing library that only does DNSSEC validation > without resolution? Preferably in go, but any other language will do at > least as reference. > I'm not aware of anything in Go, but getdns (in C) has the function getdns_validate_dnssec() which can do this: https://getdnsapi.net/documentation/spec/#7-more-helper-functions (Code in https://github.com/getdnsapi/getdns/blob/develop/src/dnssec.c ) Shumon.
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
