1

I want to validate the DS record of a query response. When I get the response from the server, I use the library provided function like this - 

>>> ret = dns.dnssec.validate(response_k.authority[1],response_k.authority[2],{name:response_k.authority[1]})

Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python2.7/dist-packages/dns/dnssec.py", line 421, in _validate raise ValidationFailure("no RRSIGs validated") dns.dnssec.ValidationFailure: no RRSIGs validated

where : request is like this -

request_k = dns.message.make_query('example.com',dns.rdatatype.A,want_dnssec=True)

response_k = dns.query.udp(request_k, '.')

>>> print response_k.authority
[<DNS com. IN NS RRset>, <DNS com. IN DS RRset>, <DNS com. IN RRSIG(DS) RRset>]

name=dns.name.from_text('.')

Any idea where its going wrong?

avee137
  • 421
  • 2
  • 7
  • 15
  • Have you tried to validate the domain manually, like by using https://www.dnsviz.net/ ? – Patrick Mevzek Feb 16 '18 at 05:27
  • 1
    I would advise not to rely on position, as you may never know what is at position 1 or 2... Also see https://stackoverflow.com/a/26137120/6368697 – Patrick Mevzek Feb 16 '18 at 05:50
  • {name:response_k.authority[1]} was wrong in my case. This should be a dictionary of name and DNSKEY. – avee137 Feb 18 '18 at 01:21
  • This then seems to be a difficult and too low level api to use.if you have time I advise you to look at https://getdnsapi.net/ it makes things normally easier – Patrick Mevzek Feb 19 '18 at 02:28

0 Answers0