以编程方式检查域是否受DNSSEC保护 [英] Programmatically check if domains are DNSSEC protected

问题描述

标题说我想以编程方式检查域名的DNS响应是否受到DNSSEC的保护。

我该怎么做？

如果有一个pythonic解决方案，这将是很棒的。

更新：
更改了请求以响应，抱歉的困惑

解决方案

使用DNS解析器（例如 dnspython ），可以查询域名DNSKEY RRset并打开 DO （dnssec OK）查询标志。如果查询成功，答案将会设置 AD （认证数据）标志，并将包含该区域的RRSIG签名（如果已签名）。

更新：使用 dnspython

  import dns.name 
 import dns.query 
 import dns.dnssec 
 import dns.message 
 import dns.resolver 
 import dns.rdatatype 
 
＃获取目标域的名称服务器
 response = dns.resolver.query（'example.com。'，dns.rdatatype.NS）
 
＃我们将使用此示例中的第一个名称服务器
 nsname = response.rrset [0]＃name 
 response = dns.resolver.query（nsname，dns.rdatatype.A）
 nsaddr = response.rrset [0] .to_text（）＃IPv4 
 
＃获取DNSKEY for zone 
 request = dns.message.make_query（'example.com。'，
 dns.rdatatype.DNSKEY ，
 want_dnssec = True）
 
＃发送查询
 response = dns.query.udp（request，n saddr）
如果response.rcode（）！= 0：
＃手柄查询失败（服务器错误或无DNSKEY记录）
 
＃答案应包含两个RRSET：DNSKEY和RRSIG （DNSKEY）
 answer = response.answer 
如果len（答案）！= 2：
＃SOMETHING WENT错误
 
＃DNSKEY应该是自签名，验证
 name = dns.name.from_text（'example.com。'）
 try：
 dns.dnssec.validate（answer [0]，answer [1]，{name：answer [0]}）
除了dns.dnssec.ValidationFailure：
＃BE SUSPICIOUS 
其他：
＃我们很好，这是一个有效的DNSSEC自签名键。 com 
  

As the title says I want to programmatically check if a DNS response for a domain are protected with DNSSEC.
How could I do this?

It would be great, if there is a pythonic solution for this.

UPDATE: changed request to response, sorry for the confusion

解决方案

Using a DNS resolver (e.g. dnspython), you can query the domain for its DNSKEY RRset and turn on the DO (dnssec OK) query flag. If the query succeeds, the answer will have the AD (authenticated data) flag set and will contain the RRSIG signatures for the zone (if it is signed).

Update: a basic example using dnspython

import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype

# get nameservers for target domain
response = dns.resolver.query('example.com.',dns.rdatatype.NS)

# we'll use the first nameserver in this example
nsname = response.rrset[0] # name
response = dns.resolver.query(nsname,dns.rdatatype.A)
nsaddr = response.rrset[0].to_text() # IPv4

# get DNSKEY for zone
request = dns.message.make_query('example.com.',
                                 dns.rdatatype.DNSKEY,
                                 want_dnssec=True)

# send the query
response = dns.query.udp(request,nsaddr)
if response.rcode() != 0:
    # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)

# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
answer = response.answer
if len(answer) != 2:
    # SOMETHING WENT WRONG

# the DNSKEY should be self signed, validate it
name = dns.name.from_text('example.com.')
try:
    dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})
except dns.dnssec.ValidationFailure:
    # BE SUSPICIOUS
else:
    # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com

这篇关于以编程方式检查域是否受DNSSEC保护的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！