以编程方式检查域是否受 DNSSEC 保护 [英] Programmatically check if domains are DNSSEC protected
问题描述
正如标题所说,我想以编程方式检查域的 DNS 响应是否受 DNSSEC 保护.
我怎么能这样做?
As the title says I want to programmatically check if a DNS response for a domain are protected with DNSSEC.
How could I do this?
如果有 Pythonic 解决方案,那就太好了.
It would be great, if there is a pythonic solution for this.
更新:已将请求更改为回复,抱歉造成混乱
UPDATE: changed request to response, sorry for the confusion
推荐答案
使用 DNS 解析器(例如 dnspython),您可以查询域的 DNSKEY RRset 并打开 DO (dnssec OK) 查询标志.如果查询成功,答案将设置 AD(经过身份验证的数据)标志,并将包含区域的 RRSIG 签名(如果已签名).
Using a DNS resolver (e.g. dnspython), you can query the domain for its DNSKEY RRset and turn on the DO (dnssec OK) query flag. If the query succeeds, the answer will have the AD (authenticated data) flag set and will contain the RRSIG signatures for the zone (if it is signed).
更新:使用 dnspython
import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype
# get nameservers for target domain
response = dns.resolver.query('example.com.',dns.rdatatype.NS)
# we'll use the first nameserver in this example
nsname = response.rrset[0].to_text() # name
response = dns.resolver.query(nsname,dns.rdatatype.A)
nsaddr = response.rrset[0].to_text() # IPv4
# get DNSKEY for zone
request = dns.message.make_query('example.com.',
dns.rdatatype.DNSKEY,
want_dnssec=True)
# send the query
response = dns.query.udp(request,nsaddr)
if response.rcode() != 0:
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
answer = response.answer
if len(answer) != 2:
# SOMETHING WENT WRONG
# the DNSKEY should be self signed, validate it
name = dns.name.from_text('example.com.')
try:
dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})
except dns.dnssec.ValidationFailure:
# BE SUSPICIOUS
else:
# WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
这篇关于以编程方式检查域是否受 DNSSEC 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
