Re: DNSSSEC verification example

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Thanks very much, Brian -- this is super useful. I've been trying to
avoid breaking out the RFCs, but it sounds like I've just been in
denial. I'll take the plunge and learn the basics before circling back
and using the building blocks you've graciously provided in dnsjava.

All the Best,

-Adam

On Mon, Oct 31, 2011 at 11:12 AM, Brian Wellington <bwe...@xb...> wrote:
>
> On Oct 30, 2011, at 3:11 PM, Adam Fisk wrote:
>
>> Can anyone provide a quick example of verifying a DNSSEC response on the
>> client side. I can't seem to find good documentation on how to do this.
>
> There isn't really a such thing as "a DNSSEC response", so I'm not completely sure what you're looking for.  DNSSEC signs DNS records, not DNS messages.
>
> A response from a signed zone will (typically) contain one or more RRSIG records, signing the data records, which comprise an RRset.  If you have the public key (which won't be in the response),
> then you can call DNSSEC.verify(rrset, rrsig, pubkey).  The data and signature RRsets can be obtained from Message.getSectionRRsets() on the response, and the matching signature can be found by comparing the results of getFootprint() on the public key (DNSKEY) and signature (RRSIG).
>
> I don't think it's possible to come up with a quick example of all of this, as it's not trivial.
>
> Brian

-- 
Adam Fisk
http://www.littleshoot.org | http://adamfisk.wordpress.com |
http://twitter.com/adamfisk