You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the --dnssec CLI flag to request DNSSEC RRSIG records. The ask here is to verify these signatures going up to the root of trust.
This feature should:
Add a new --validate-dnssec CLI flag
Make use of the Resolver.cache to avoid duplicating lookups
Add integration tests to integration_tests.py for DNSSEC validation
This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups.
@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient?
I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about.
On Thu, Sep 12, 2024 at 2:07 PM Phillip Stephens ***@***.***> wrote:
@zakird <https://github.com/zakird> Do you think just returning if DNSSEC
validation passed and if it failed the reason in the JSON output is
sufficient?
I suppose on the other end of the spectrum is returning all DNSKEY records
up to the root in addition to if validation passed so the caller has every
relevant piece of info on the DNSSEC validation process but that seems like
something IMO the caller wouldn't usually care about.
—
Reply to this email directly, view it on GitHub
<#441 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABREUH6TBVKB6QCHN27GELZWHJ5FAVCNFSM6AAAAABODZI66GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBWHEZTEOJWHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the
--dnssec
CLI flag to request DNSSECRRSIG
records. The ask here is to verify these signatures going up to the root of trust.This feature should:
--validate-dnssec
CLI flagResolver.cache
to avoid duplicating lookupsintegration_tests.py
for DNSSEC validationTest Cases
./zdns A dnssec-tools.org internetsociety.org --validate-dnssec
Output
WIP - open to suggestions
Currently thinking we return the same information as
./zdns --dnssec
but 2 additional per module fieldsdnssec-validation-passed: true/false
dnssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"
The text was updated successfully, but these errors were encountered: