README
¶
godnssecvalid
Godnssecvalid is a Go implementation to verify an arbitrary DNSSEC chain.
Documentation
Status
This is a first working version.
Installation
go get github.com/ulrichwisser/godane
Documentation
¶
Overview ¶
Package godnssecvalid implements collection and verification of a DNSSEC chain
Overview ¶
The GetChain function will traverse the DNS tree beginning at the root servers. It will build a chain of DNSKEY, DS and RRSIG records until the desired information is collected.
ValidateChain will take a chain of DNS resource records and verify all signatures beginning with the trust anchor.
Example usage See example/godane for an example command line tlsa verifier
In short, do something like this
tlsa, _:= dns.TLSAName(dns.Fqdn("example.com"), "443", "tcp")
chain, _ := godnssecvalid.GetChain(godnssecvalid.GetDefaultResolvers(), tlsa, dns.TypeTLSA)
anchors, _ := godnssecvalid.GetDefaultTrustAnchors()
valid := godnssecvalid.ValidateChain(chain, anchors)
Of course, you should do proper error checking!
Index ¶
- Variables
- func GetAnswer(servers []string, trustanchors []dns.RR, fqdn string, qtype uint16) ([]dns.RR, error)
- func GetChain(servers []string, fqdn string, qtype uint16) ([]dns.RR, error)
- func GetDefaultResolvers() ([]string, error)
- func GetDefaultTrustAnchors() ([]dns.RR, error)
- func GetTrustAnchors(f io.Reader) ([]dns.RR, error)
- func ValidateChain(chain []dns.RR, trustanchor []dns.RR) bool
Constants ¶
This section is empty.
Variables ¶
var Verbose = false
Verbose set to true will generate debug output on stdout
Functions ¶
func GetAnswer ¶
func GetAnswer(servers []string, trustanchors []dns.RR, fqdn string, qtype uint16) ([]dns.RR, error)
GetAnswer returns a list of resource records of the desired type and for the desired label.
func GetChain ¶
GetChain uses the specified resolvers and builds a list of DNSKEY, DS and RRSIG records leading to the requested record. The fqdn is seperated in labels and for each label DNSKEY and RRSIG and DS and RRSIG records are requested from one of the resolvers. Any failure is silently ignored. For the last labels qtype records and RRSIG are requested. Any failure to do so is reported back. We can not know where a zone cut is. Therefor we try all labels, but fail silently if no records can be found. servers - a list of resolvers to uses fqdn - full qualified domain name qtype - type of DNS record to retrieve
func GetDefaultResolvers ¶
GetDefaultResolvers will read the list of resolvers from /etc/resolv.conf
func GetDefaultTrustAnchors ¶
GetDefaultTrustAnchors returns a list of the trust anchors for the root zone.
func GetTrustAnchors ¶
GetTrustAnchors reads a list of trust anchors and returns a list of DS records. All DS records in the file will be returned as well as all DNSKEY records converted to DS records. Any other records will be ignored.
Types ¶
This section is empty.
Source Files
Directories