如标题所述,我想以编程的方式检查域名的DNS响应是否受到DNSSEC的保护。
我该怎么做?
如果有Python解决方案将会很好。
更新: 将请求更改为响应,对于造成的困扰,请谅解。
使用DNS解析器(例如dnspython
),您可以查询域名的DNSKEY RRset并打开DO
(dnssec OK)查询标志。如果查询成功,则答案将设置AD
(已验证的数据)标志,并包含区域(如果已签名)的RRSIG签名。
更新:使用dnspython
的基本示例:
import dns.name
import dns.query
import dns.dnssec
import dns.message
import dns.resolver
import dns.rdatatype
# get nameservers for target domain
response = dns.resolver.query('example.com.',dns.rdatatype.NS)
# we'll use the first nameserver in this example
nsname = response.rrset[0].to_text() # name
response = dns.resolver.query(nsname,dns.rdatatype.A)
nsaddr = response.rrset[0].to_text() # IPv4
# get DNSKEY for zone
request = dns.message.make_query('example.com.',
dns.rdatatype.DNSKEY,
want_dnssec=True)
# send the query
response = dns.query.udp(request,nsaddr)
if response.rcode() != 0:
# HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)
# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)
answer = response.answer
if len(answer) != 2:
# SOMETHING WENT WRONG
# the DNSKEY should be self signed, validate it
name = dns.name.from_text('example.com.')
try:
dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})
except dns.dnssec.ValidationFailure:
# BE SUSPICIOUS
else:
# WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
response = dns.query.udp(request, ns)
处遇到了一个奇怪的错误TypeError: coercing to Unicode: need string or buffer, NS found
,但我相信它通常是有效的。然而,我已经解析了dig +dnssec domain
的输出。 - Thorben