Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/peterzen/goresolver

DNSSEC validating resolver library
https://github.com/peterzen/goresolver

dns dnssec dnssecurity golang-library golang-package

Last synced: about 20 hours ago
JSON representation

DNSSEC validating resolver library

Host: GitHub
URL: https://github.com/peterzen/goresolver
Owner: peterzen
License: isc
Created: 2019-02-24T22:24:30.000Z (over 5 years ago)
Default Branch: master
Last Pushed: 2024-01-02T17:33:43.000Z (9 months ago)
Last Synced: 2024-06-19T02:02:54.166Z (4 months ago)
Topics: dns, dnssec, dnssecurity, golang-library, golang-package
Language: Go
Homepage:
Size: 81.1 KB
Stars: 19
Watchers: 3
Forks: 5
Open Issues: 1
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        go-resolver

===============

A Golang DNSSEC validating resolver library implemented on top of [miekg/dns](https://github.com/miekg/dns).

This package implements DNS lookup functions that perform DNSSEC validation.  

## Implementation

When querying DNSSEC enabled zones, it performs a full verification of the resource records (RRs) included in the response and validates the chain of trust:

* Requests the desired RRset (along with the corresponding `RRSIG` record)

* Requests the `DNSKEY` records containing the public ZSK and public KSK (along with the `RRSIG` for the `DNSKEY` RRset)

* Performs the cryptographic verification of the `RRSIG` of the requested RRset with the public ZSK

* Performs the cryptographic verification of the `RRSIG` of the `DNSKEY` RRset with the public KSK

* Checks the validity period of the `RRSIG` records

Following these cryptographic verifications, the package then validates the authentication chain by walking up the delegation chain, checking the public `DNSKEY` RRs against the `DS` records in each parent zone, up to the TLD zone.  (For a more in-depth description of how DNSSEC works, see [this guide](https://www.cloudflare.com/dns/dnssec/how-dnssec-works/).)

In case of any validation errors, the method returns a non-nil `err` value, and an empty result set.  

`goresolver` does not yet implement denial of existence validation using `NSEC` or `NSEC3` records.

## Documentation

```Go

import "github.com/peterzen/goresolver"

result, err := resolver.StrictNSQuery("example.com.", dns.TypeMX)

if err != nil {

	// handle validation errors

}

```

`goresolver.LookupIP` can be used as drop-in replacement to [net.LookupIP](https://golang.org/pkg/net/#LookupIP):

```Go

import "github.com/peterzen/goresolver"

ips, err := goresolver.LookupIP("www.example.com")

if err != nil {

	// handle validation errors

}

```

## Installation

```bash

$ go get -u github.com/peterzen/goresolver

```

PRs for additional test cases covering less common DNSSEC setups are welcome and much appreciated.

## More information

* DNS Security Introduction and Requirements [RFC4033](https://tools.ietf.org/html/rfc4033)