使用DNS解析器(例如
dnspython),您可以查询域的DNSKEY RRset并打开
DO(dnssec
OK)查询标志。如果查询成功,则答案将设置
AD(已认证数据)标志,并将包含区域的RRSIG签名(如果已签名)。
更新:使用的基本示例
dnspython
import dns.nameimport dns.queryimport dns.dnssecimport dns.messageimport dns.resolverimport dns.rdatatype# get nameservers for target domainresponse = dns.resolver.query('example.com.',dns.rdatatype.NS)# we'll use the first nameserver in this examplensname = response.rrset[0].to_text() # nameresponse = dns.resolver.query(nsname,dns.rdatatype.A)nsaddr = response.rrset[0].to_text() # IPv4# get DNSKEY for zonerequest = dns.message.make_query('example.com.',dns.rdatatype.DNSKEY,want_dnssec=True)# send the queryresponse = dns.query.udp(request,nsaddr)if response.rpre() != 0: # HANDLE QUERY FAILED (SERVER ERROR OR NO DNSKEY RECORD)# answer should contain two RRSET: DNSKEY and RRSIG(DNSKEY)answer = response.answerif len(answer) != 2: # SOMETHING WENT WRONG# the DNSKEY should be self signed, validate itname = dns.name.from_text('example.com.')try: dns.dnssec.validate(answer[0],answer[1],{name:answer[0]})except dns.dnssec.ValidationFailure: # BE SUSPICIOUSelse: # WE'RE GOOD, THERE'S A VALID DNSSEC SELF-SIGNED KEY FOR example.com
