{"id":21464288,"url":"https://github.com/shuque/check_zone_dnssec","last_synced_at":"2025-06-15T13:34:33.376Z","repository":{"id":243322432,"uuid":"812109878","full_name":"shuque/check_zone_dnssec","owner":"shuque","description":"Check DNSSEC at all nameservers for a zone","archived":false,"fork":false,"pushed_at":"2024-06-29T22:42:26.000Z","size":52,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-23T14:53:38.891Z","etag":null,"topics":["dns","dnssec","test","zone"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shuque.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-06-08T01:44:36.000Z","updated_at":"2024-06-29T22:42:12.000Z","dependencies_parsed_at":"2024-06-23T04:42:35.509Z","dependency_job_id":"0a7abb2c-3a3e-46f2-b3b4-ef258f63cac8","html_url":"https://github.com/shuque/check_zone_dnssec","commit_stats":null,"previous_names":["shuque/check_zone_dnssec"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fcheck_zone_dnssec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fcheck_zone_dnssec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fcheck_zone_dnssec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shuque%2Fcheck_zone_dnssec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shuque","download_url":"https://codeload.github.com/shuque/check_zone_dnssec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243977447,"owners_count":20377881,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns","dnssec","test","zone"],"created_at":"2024-11-23T07:31:11.858Z","updated_at":"2025-06-15T13:34:33.360Z","avatar_url":"https://github.com/shuque.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# check_zone_dnssec\nCheck DNSSEC at all nameservers for a zone\n\ncheck_zone_dnssec.py\nA command line too to verify DNSSEC reponses at each authoritative\nserver for a signed zone.\n\nQuery each nameserver address for a zone and determine whether\nDNSSEC signed responses for a given record and type within the\nzone are correct.\n\nThis program assumes the parent zone has a valid DS record installed.\nIt first queries and authenticates that DS record from the root down.\nOptionally, the program can be provided the actual DS record data it\nshould use instead of querying it from the DNS. This option is useful\nfor pre-delegation testing.\n\nIt then individually queries each nameserver for the zone. For each\nnameserver, it queries the DNSKEY RRset, verifies the self signature(s)\non that set, matches the DS RRset to the KSKs. It then queries the\nspecified record name and type within the zone and authenticates its\nsignature.\n\nOptionally, the program can be told to query specific additional\nnameserver names or addresses not published in the NS RRset for the \nzone, or even omit querying the NS RRSet entirely.\n\nThis program is useful for checking that _every_ authoritative server\nfor a target zone is responding with correctly signed answers.\n\nPre-requisites:\n- Python 3\n- [dnspython module](http://www.dnspython.org/) (included with most Linux/*BSD distributions)\n- [python-cryptography](https://cryptography.io/en/latest/) for DNSSEC support\n- [my resolve.py library](https://github.com/shuque/resolve)\n\n\n### Installation\n\nInstall check_zone_dnssec.py:\n\n* pip3 install git+https://github.com/shuque/check_zone_dnssec.git@v1.0.7\n\n\n### Usage\n\n```\n$ check_zone_dnssec.py -h\nusage: check_zone_dnssec.py [-h] [-v] [--percent_ok N] [-4 | -6] [--bufsize N]\n                            [--addnsname NSNAMES] [--addnsip NSIPS]\n                            [--nonsquery] [--nsid] [--dsdata DSDATA]\n                            [--resolvers IP [IP ...]] [--text] [--timeout N]\n                            [--retries N]\n                            zone recname rectype\n\nVersion 1.0.7\nQuery all nameserver addresses for a given zone and validate DNSSEC\n\npositional arguments:\n  zone                  DNS zone name\n  recname               Record name in the zone\n  rectype               Record type for that name\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --verbose         increase output verbosity\n  --percent_ok N        Percentage success threshold (default: 100)\n  -4                    Query IPv4 nameserver addresses only\n  -6                    Query IPv6 nameserver addresses only\n  --bufsize N           Set EDNS buffer size in octets (default: 1420)\n  --addnsname NSNAMES   Additional NS names to query (comma separated)\n  --addnsip NSIPS       Additional NS IP addresses to query (comma separated)\n  --nonsquery           Don't query zone's NS set (default: False)\n  --nsid                Send and record NSID EDNS option\n  --dsdata DSDATA       Use specified DS rdata string (default: None)\n  --resolvers IP [IP ...]\n                        Use specified resolver addresses (default: ['8.8.8.8',\n                        '1.1.1.1'])\n  --text                Emit abbreviated text output (default is json)\n  --timeout N           Query timeout in secs (default: 4)\n  --retries N           Number of UDP retries (default: 1)\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fcheck_zone_dnssec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fshuque%2Fcheck_zone_dnssec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fshuque%2Fcheck_zone_dnssec/lists"}