alexdalitz
commented
2 years ago Hi -
Thanks for your report!
DLV is very old stuff now - it was intended for the early roll-out of DNSSEC when parent domains might not have implemented the full DNSSEC chain. You shouldn’t really need it any more (although it should still work?).
Anyway - here is a script which should work for you :
require 'dnsruby' include Dnsruby
res = Recursor.new res.dnssec=true ret = res.query("frobbit.se", "NS") print "Security level for signed zone : #{ret.security_level}\n" frobbit_servers = ret.answer.rrset("frobbit.se", Types.NS)
and query for a zone which is not signed
r = Resolver.new ret = r.query("ed.ac.uk") print "Security level of unsigned zone : #{ret.security_level}\n"
res = Resolver.new frobbit_servers.rrs.each {|s| print "Adding nameserver : #{s.nsdname}\n"; res.add_server(s.nsdname)} The problem was just that dnssec is disabled by default in Dnsruby, so you need to switch it on.
Hope this helps, and thanks!
Alex.
On 25 Nov 2021, at 14:10, nialexander @.***> wrote:
Hey, I wanted to checkout the DNSSEC validation of your helpful library. Unfortunately I am not able to get it to work.
I tried your example code and stripped it down to the bare minimum:
#
DNSSEC stuff
#
Load the ISC DLV key and query some signed zones
dlv_key = RR.create("dlv.isc.org. IN DNSKEY 257 3 5 BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh") Dnssec.add_dlv_key(dlv_key) res = Recursor.new ret = res.query("frobbit.se", "NS") print "Security level for signed zone from DLV : #{ret.security_level}\n" frobbit_servers = ret.answer.rrset("frobbit.se", Types.NS)
and query for a zone which is not signed
r = Resolver.new ret = r.query("ed.ac.uk") print "Security level of unsigned zone : #{ret.security_level}\n"
res = Resolver.new frobbit_servers.rrs.each {|s| print "Adding nameserver : #{s.nsdname}\n"; res.add_server(s.nsdname)} This code results in the following output:
Security level for signed zone from DLV : BOGUS Security level of unsigned zone : UNCHECKED Adding nameserver : ns6.frobbit.se Adding nameserver : ns1.frobbit.se Adding nameserver : ns2.frobbit.se Adding nameserver : ns4.frobbit.se Adding nameserver : ns5.frobbit.se I did expect the first zone (signed one) to be a valid signed zone. I also tried with different zones I know are correctly signed and they all are flagged as bogus.
For the second zone I did expect a insecure result not a unchecked.
Would be great to hear back from you with some further tips on this topic.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/alexdalitz/dnsruby/issues/180, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB2WFWQXZAWKTMLAMU6Q34TUNY7VZANCNFSM5IYUINDQ. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Hey, I wanted to checkout the DNSSEC validation of your helpful library. Unfortunately I am not able to get it to work.
I tried your example code and stripped it down to the bare minimum:
This code results in the following output:
I did expect the first zone (signed one) to be a valid signed zone. I also tried with different zones I know are correctly signed and they all are flagged as bogus.
For the second zone I did expect a insecure result not a unchecked.
Would be great to hear back from you with some further tips on this topic.