validating rrsigs using dnssec error
102 views
Skip to first unread message
Donika Mirdita
Feb 26, 2021, 11:51:02 AM2/26/21
to dnspython-users
I am having a problem running rrsig validations. Can someone point out what I am doing wrong with the code here?
domain = "iana.org"
server = "8.8.8.8"
qname = dns.name.from_text(domain)
#get DNSKEYs
DNSKEY_query = dns.message.make_query(qname, dns.rdatatype.DNSKEY, want_dnssec=True)
(DNSKEY_response, _) = dns.query.udp_with_fallback(DNSKEY_query, server)
(DNSKEY_response, _) = dns.query.udp_with_fallback(DNSKEY_query, server)
dnskey_set, dnskey_sig = DNSKEY_response.answer
#get RRset and RRsig to verify
query = dns.message.make_query(qname, dns.rdatatype.NS, want_dnssec=True)
(response, _) = dns.query.udp_with_fallback(query, server)
(response, _) = dns.query.udp_with_fallback(query, server)
rrset, rrsig = response.answer
dns.dnssec.validate(rrset, rrsig, {dns.name.empty:dnskey_set},None)
The error message being:
File "dnssec_validator.py", line 30, in rrset_validator
dns.dnssec.validate(rrset, rrsig, {dns.name.empty:dnskey_set}, None)
File "/home/mirdita/PycharmProjects/RPKIDNSSEC/venv/lib/python3.6/site-packages/dns/dnssec.py", line 494, in _validate
raise ValidationFailure("no RRSIGs validated")
dns.dnssec.ValidationFailure: no RRSIGs validated
dns.dnssec.validate(rrset, rrsig, {dns.name.empty:dnskey_set}, None)
File "/home/mirdita/PycharmProjects/RPKIDNSSEC/venv/lib/python3.6/site-packages/dns/dnssec.py", line 494, in _validate
raise ValidationFailure("no RRSIGs validated")
dns.dnssec.ValidationFailure: no RRSIGs validated
Bob Halley
Mar 3, 2021, 9:27:29 AM3/3/21
to dnspython-users
You need to use dnskey_set.name, not dns.name.empty, in the keys dictionary in order for the code to find the right key.
Reply all
Reply to author
Forward
0 new messages