Add DNSSEC Validation #441
Assignees
Labels
Comments
phillip-stephens
assigned phillip-stephens and developStorm and unassigned phillip-stephens
|
This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups. |
|
@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient? I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about. |
|
I would make these different verbosity levels since we have that option.
…On Thu, Sep 12, 2024 at 2:07 PM Phillip Stephens ***@***.***> wrote:
@zakird <https://github.com/zakird> Do you think just returning if DNSSEC
validation passed and if it failed the reason in the JSON output is
sufficient?
I suppose on the other end of the spectrum is returning all DNSKEY records
up to the root in addition to if validation passed so the caller has every
relevant piece of info on the DNSSEC validation process but that seems like
something IMO the caller wouldn't usually care about.
—
Reply to this email directly, view it on GitHub
<#441 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABREUH6TBVKB6QCHN27GELZWHJ5FAVCNFSM6AAAAABODZI66GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBWHEZTEOJWHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the
--dnssecCLI flag to request DNSSECRRSIGrecords. The ask here is to verify these signatures going up to the root of trust.This feature should:
--validate-dnssecCLI flagResolver.cacheto avoid duplicating lookupsintegration_tests.pyfor DNSSEC validationTest Cases
./zdns A dnssec-tools.org internetsociety.org --validate-dnssecOutput
WIP - open to suggestions
Currently thinking we return the same information as
./zdns --dnssecbut 2 additional per module fieldsdnssec-validation-passed: true/falsednssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"The text was updated successfully, but these errors were encountered: