A Golang DNSSEC validating resolver library implemented on top of miekg/dns.
This package implements DNS lookup functions that perform DNSSEC validation.
When querying DNSSEC enabled zones, it performs a full verification of the resource records (RRs) included in the response and validates the chain of trust:
- Requests the desired RRset (along with the corresponding
RRSIG
record) - Requests the
DNSKEY
records containing the public ZSK and public KSK (along with theRRSIG
for theDNSKEY
RRset) - Performs the cryptographic verification of the
RRSIG
of the requested RRset with the public ZSK - Performs the cryptographic verification of the
RRSIG
of theDNSKEY
RRset with the public KSK - Checks the validity period of the
RRSIG
records
Following these cryptographic verifications, the package then validates the authentication chain by walking up the delegation chain, checking the public DNSKEY
RRs against the DS
records in each parent zone, up to the TLD zone. (For a more in-depth description of how DNSSEC works, see this guide.)
In case of any validation errors, the method returns a non-nil err
value, and an empty result set.
goresolver
does not yet implement denial of existence validation using NSEC
or NSEC3
records.
import "github.com/peterzen/goresolver"
result, err := resolver.StrictNSQuery("example.com.", dns.TypeMX)
if err != nil {
// handle validation errors
}
goresolver.LookupIP
can be used as drop-in replacement to net.LookupIP:
import "github.com/peterzen/goresolver"
ips, err := goresolver.LookupIP("www.example.com")
if err != nil {
// handle validation errors
}
$ go get -u github.com/peterzen/goresolver
PRs for additional test cases covering less common DNSSEC setups are welcome and much appreciated.
- DNS Security Introduction and Requirements RFC4033