godnssecvalid

package module
v0.0.0-...-a39cedf Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 4, 2017 License: GPL-3.0 Imports: 6 Imported by: 0

README

godnssecvalid

Godnssecvalid is a Go implementation to verify an arbitrary DNSSEC chain.

Build Status GoDoc

Documentation
Status

This is a first working version.

Installation
go get github.com/ulrichwisser/godane

Documentation

Overview

Package godnssecvalid implements collection and verification of a DNSSEC chain

Overview

The GetChain function will traverse the DNS tree beginning at the root servers. It will build a chain of DNSKEY, DS and RRSIG records until the desired information is collected.

ValidateChain will take a chain of DNS resource records and verify all signatures beginning with the trust anchor.

Example usage See example/godane for an example command line tlsa verifier

In short, do something like this 

tlsa, _:= dns.TLSAName(dns.Fqdn("example.com"), "443", "tcp")
chain, _ := godnssecvalid.GetChain(godnssecvalid.GetDefaultResolvers(), tlsa, dns.TypeTLSA)
anchors, _ := godnssecvalid.GetDefaultTrustAnchors()
valid := godnssecvalid.ValidateChain(chain, anchors)

Of course, you should do proper error checking!

Index

Constants

This section is empty.

Variables

View Source 
var Verbose = false

Verbose set to true will generate debug output on stdout

Functions

func GetAnswer 

func GetAnswer(servers []string, trustanchors []dns.RR, fqdn string, qtype uint16) ([]dns.RR, error)

GetAnswer returns a list of resource records of the desired type and for the desired label.

func GetChain 

func GetChain(servers []string, fqdn string, qtype uint16) ([]dns.RR, error)

GetChain uses the specified resolvers and builds a list of DNSKEY, DS and RRSIG records leading to the requested record. The fqdn is seperated in labels and for each label DNSKEY and RRSIG and DS and RRSIG records are requested from one of the resolvers. Any failure is silently ignored. For the last labels qtype records and RRSIG are requested. Any failure to do so is reported back. We can not know where a zone cut is. Therefor we try all labels, but fail silently if no records can be found. servers - a list of resolvers to uses fqdn - full qualified domain name qtype - type of DNS record to retrieve

func GetDefaultResolvers 

func GetDefaultResolvers() ([]string, error)

GetDefaultResolvers will read the list of resolvers from /etc/resolv.conf

func GetDefaultTrustAnchors 

func GetDefaultTrustAnchors() ([]dns.RR, error)

GetDefaultTrustAnchors returns a list of the trust anchors for the root zone.

func GetTrustAnchors 

func GetTrustAnchors(f io.Reader) ([]dns.RR, error)

GetTrustAnchors reads a list of trust anchors and returns a list of DS records. All DS records in the file will be returned as well as all DNSKEY records converted to DS records. Any other records will be ignored.

func ValidateChain 

func ValidateChain(chain []dns.RR, trustanchor []dns.RR) bool

ValidateChain takes a chain of DNS resource records and validates all signatures beginning with the trustanchors

Types

This section is empty.

Source Files

View all Source files

Directories

Path Synopsis
examples
godane
godig

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.