-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add DNSSEC Validation #441
Comments
This is a 3rd party library that performs the DNSSEC validation. It can serve as a good starting point, but needs to be tightly integrated with ZDNS so we can leverage the Cache and avoid duplicating lookups. |
@zakird Do you think just returning if DNSSEC validation passed and if it failed the reason in the JSON output is sufficient? I suppose on the other end of the spectrum is returning all DNSKEY records up to the root in addition to if validation passed so the caller has every relevant piece of info on the DNSSEC validation process but that seems like something IMO the caller wouldn't usually care about. |
I would make these different verbosity levels since we have that option.
…On Thu, Sep 12, 2024 at 2:07 PM Phillip Stephens ***@***.***> wrote:
@zakird <https://github.com/zakird> Do you think just returning if DNSSEC
validation passed and if it failed the reason in the JSON output is
sufficient?
I suppose on the other end of the spectrum is returning all DNSKEY records
up to the root in addition to if validation passed so the caller has every
relevant piece of info on the DNSSEC validation process but that seems like
something IMO the caller wouldn't usually care about.
—
Reply to this email directly, view it on GitHub
<#441 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AABREUH6TBVKB6QCHN27GELZWHJ5FAVCNFSM6AAAAABODZI66GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBWHEZTEOJWHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Describe the feature requested
Add DNSSEC record validation to ZDNS. We currently have the
--dnssec
CLI flag to request DNSSECRRSIG
records. The ask here is to verify these signatures going up to the root of trust.This feature should:
--validate-dnssec
CLI flagResolver.cache
to avoid duplicating lookupsintegration_tests.py
for DNSSEC validationTest Cases
./zdns A dnssec-tools.org internetsociety.org --validate-dnssec
Output
WIP - open to suggestions
Currently thinking we return the same information as
./zdns --dnssec
but 2 additional per module fieldsdnssec-validation-passed: true/false
dnssec-validation-failed-reason: "Signature of Cloudflare.com did not validate using the .com signing key"
The text was updated successfully, but these errors were encountered: