On 04/08/2011 11:42 AM, Bob Halley wrote:
On 7 Apr 2011, at 19:56, Brian Smith wrote:
Hello,
I'm trying to sign a zone, however I would like to have other's users input
here, am I doing this correctly? Is there a shortcut in dnspython that I am not
seeing?
dnspython does not have any code for signing zones currently, though recent
versions of dnspython do have basic code for validating signatures.
If you want to make signatures, taking a look at dns.dnssec._validate_rrsig()
is a good place to start. In particular, it shows how to correctly compute the
digest. The code you included for generating digests was not correct.
Maintaining a secure zone is complicated and tedious, which is why dnspython
doesn't yet do it :) Signing the rdata is just the start of the fun. You also
need do deal with NSEC and/or NSEC3, and a good solution would also deal with
signature regeneration and key rollover.
/Bob
Yes maintaining the zone and dealing with roll over and signature regen
is complicated, but that is a feature of a service, not of a framework
or library. I would think that dnspython should at least be able to
support signing it's own data types. RRSet and Zone's out of the box, at
least it seems like it to me.
As for the generating the digest, I tried to rip that right out of the
RFC, however i wasn't 100% sure of it when I was working with it myself.
-brian
_______________________________________________
dnspython-users mailing list
[email protected]
http://howl.play-bow.org/mailman/listinfo.cgi/dnspython-users
