DNSSEC 使用 DNSPython 签署 RRSET
我正在尝试对 RRSET 进行 DNSSEC 签名,但是我找不到任何有关如何使用 DNSPython 执行此操作的参考。是的,它有 dns.dnssec.validate_rrsig(),但我想 DNSSEC 签署一个 rrset,如何做到这一点?
我一直对 RFC 很不满意,但是我显然缺少一些东西来让它发挥作用。
I'm trying to DNSSEC Sign a RRSET, however I am not able finding any references to how to do so using DNSPython. Yes it has dns.dnssec.validate_rrsig(), but I want to DNSSEC sign a rrset, how can this be done?
I've been pooring over the RFC's however I'm obviously lacking something in order to make it work.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
你真的必须用 DNSPython 来做吗?这是自定义名称服务器吗?
通常执行此操作的典型方法(例如使用绑定)是对区域文件进行预签名。 DNSSEC RRSIG 对连接参数没有任何依赖性,因此我们实际上不必进行即时签名。另外,如果您预先签署,NSEC 之类的事情会更容易处理。
Do you really have to do it with DNSPython? Is this a custom name server?
The typical way you normally do it (with bind, for example) is by pre-signing the zone file. The DNSSEC RRSIG does not have any dependency on the connection parameters so we don't really have to do on-the-fly signing. Also, things like NSEC would be easier to handle if you pre-sign.