DNSSEC¶

Dnspython can do simple DNSSEC signature validation, but currently has no facilities for signing. In order to use DNSSEC functions, you must have python cryptography installed.

DNSSEC Functions¶

dns.dnssec.algorithm_from_text(text: str) → dns.dnssectypes.Algorithm[source]¶

Convert text into a DNSSEC algorithm value.

text, a str, the text to convert to into an algorithm value.

Returns an int.

dns.dnssec.algorithm_to_text(value: Union[dns.dnssectypes.Algorithm, int]) → str[source]¶

Convert a DNSSEC algorithm value to text

value, a dns.dnssec.Algorithm.

Returns a str, the name of a DNSSEC algorithm.

dns.dnssec.key_id(key: dns.rdtypes.ANY.DNSKEY.DNSKEY) → int[source]¶

Return the key id (a 16-bit number) for the specified key.

key, a dns.rdtypes.ANY.DNSKEY.DNSKEY

Returns an int between 0 and 65535

dns.dnssec.make_ds(name: Union[dns.name.Name, str], key: dns.rdata.Rdata, algorithm: Union[dns.dnssectypes.DSDigest, str], origin: Optional[dns.name.Name] = None) → dns.rdtypes.ANY.DS.DS[source]¶

Create a DS record for a DNSSEC key.

name, a dns.name.Name or str, the owner name of the DS record.

key, a dns.rdtypes.ANY.DNSKEY.DNSKEY, the key the DS is about.

algorithm, a str or int specifying the hash algorithm. The currently supported hashes are “SHA1”, “SHA256”, and “SHA384”. Case does not matter for these strings.

origin, a dns.name.Name or None. If key is a relative name, then it will be made absolute using the specified origin.

Raises UnsupportedAlgorithm if the algorithm is unknown.

Returns a dns.rdtypes.ANY.DS.DS

dns.dnssec.validate(rrset: Union[dns.rrset.RRset, Tuple[dns.name.Name, dns.rdataset.Rdataset]], rrsigset: Union[dns.rrset.RRset, Tuple[dns.name.Name, dns.rdataset.Rdataset]], keys: Dict[dns.name.Name, Union[dns.rdataset.Rdataset, dns.node.Node]], origin: Optional[dns.name.Name] = None, now: Optional[float] = None) → None¶

Validate an RRset against a signature RRset, throwing an exception if none of the signatures validate.

rrset, the RRset to validate. This can be a dns.rrset.RRset or a (dns.name.Name, dns.rdataset.Rdataset) tuple.

rrsigset, the signature RRset. This can be a dns.rrset.RRset or a (dns.name.Name, dns.rdataset.Rdataset) tuple.

keys, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a dns.name.Name, and has dns.node.Node or dns.rdataset.Rdataset values.

origin, a dns.name.Name, the origin to use for relative names; defaults to None.

now, an int or None, the time, in seconds since the epoch, to use as the current time when validating. If None, the actual current time is used.

Raises ValidationFailure if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc.

dns.dnssec.validate_rrsig(rrset: Union[dns.rrset.RRset, Tuple[dns.name.Name, dns.rdataset.Rdataset]], rrsig: dns.rdtypes.ANY.RRSIG.RRSIG, keys: Dict[dns.name.Name, Union[dns.rdataset.Rdataset, dns.node.Node]], origin: Optional[dns.name.Name] = None, now: Optional[float] = None) → None¶

Validate an RRset against a single signature rdata, throwing an exception if validation is not successful.

rrset, the RRset to validate. This can be a dns.rrset.RRset or a (dns.name.Name, dns.rdataset.Rdataset) tuple.

rrsig, a dns.rdata.Rdata, the signature to validate.

keys, the key dictionary, used to find the DNSKEY associated with a given name. The dictionary is keyed by a dns.name.Name, and has dns.node.Node or dns.rdataset.Rdataset values.

origin, a dns.name.Name or None, the origin to use for relative names.

now, a float or None, the time, in seconds since the epoch, to use as the current time when validating. If None, the actual current time is used.

Raises ValidationFailure if the signature is expired, not yet valid, the public key is invalid, the algorithm is unknown, the verification fails, etc.

Raises UnsupportedAlgorithm if the algorithm is recognized by dnspython but not implemented.

dns.dnssec.nsec3_hash(domain: Union[dns.name.Name, str], salt: Optional[Union[str, bytes]], iterations: int, algorithm: Union[int, str]) → str[source]¶

Calculate the NSEC3 hash, according to https://tools.ietf.org/html/rfc5155#section-5

domain, a dns.name.Name or str, the name to hash.

salt, a str, bytes, or None, the hash salt. If a string, it is decoded as a hex string.

iterations, an int, the number of iterations.

algorithm, a str or int, the hash algorithm. The only defined algorithm is SHA1.

Returns a str, the encoded NSEC3 hash.

DNSSEC Algorithms¶

dns.dnssec.RSAMD5 = Algorithm.RSAMD5¶: An enumeration.

dns.dnssec.DH = Algorithm.DH¶: An enumeration.

dns.dnssec.DSA = Algorithm.DSA¶: An enumeration.

dns.dnssec.ECC = Algorithm.ECC¶: An enumeration.

dns.dnssec.RSASHA1 = Algorithm.RSASHA1¶: An enumeration.

dns.dnssec.DSANSEC3SHA1 = Algorithm.DSANSEC3SHA1¶: An enumeration.

dns.dnssec.RSASHA1NSEC3SHA1 = Algorithm.RSASHA1NSEC3SHA1¶: An enumeration.

dns.dnssec.RSASHA256 = Algorithm.RSASHA256¶: An enumeration.

dns.dnssec.RSASHA512 = Algorithm.RSASHA512¶: An enumeration.

dns.dnssec.ECDSAP256SHA256 = Algorithm.ECDSAP256SHA256¶: An enumeration.

dns.dnssec.ECDSAP384SHA384 = Algorithm.ECDSAP384SHA384¶: An enumeration.

dns.dnssec.INDIRECT = Algorithm.INDIRECT¶: An enumeration.

dns.dnssec.PRIVATEDNS = Algorithm.PRIVATEDNS¶: An enumeration.

dns.dnssec.PRIVATEOID = Algorithm.PRIVATEOID¶: An enumeration.