Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to validate DNSSEC in PHP?

Tags:

php

I've been trying to figure out a way to validate DNS records in PHP (oa1) but have come up short.

I can validate a whole domain with this library, but not the individual records: https://github.com/metaregistrar/php-dnssec-validator

In addition, that library only allows for a very small set of TLDs to be validated.

Is there another library out there that can handle this for me, or perhaps something else I should look into?

I've also found this: http://www.phpclasses.org/package/9031-PHP-Validate-DNSSEC-keys-and-calculate-the-DS-record.html

But I have no idea how to get the keys to use in their validating function.

Help please!

UPDATE

So, I ended up using this...

exec('host -t RRSIG ' . $domain, $output);

Returns the RRSIG, or lack thereof, with minimal hassle.

like image 308
Chris R. Avatar asked Mar 19 '15 14:03

Chris R.


1 Answers

The PHP engine has a fixed set of DNS record types it supports, all defined by the type parameter to dns_get_record. You can double check this list by looking in the engine code that implements DNS queries.

Unfortunately, none of the DNSSEC records are in that pre-defined list. So, you need to rely on a library or an external tool.

I'd use Net_DNS2, as it supports many DNSSEC RR. Example:

$google = new \Net_DNS2_Resolver(['nameservers' => ['8.8.8.8', '8.8.4.4']]);
$google->dnssec = true;
try {
    $result = $google->query('kyhwana.org', 'SSHFP');
} catch(\Net_DNS2_Exception $ex) {
    die($ex->getMessage());
}

foreach ($result->answer as $answer) {
    if ($answer instanceof \Net_DNS2_RR_SSHFP) {
        printf(
            '%s %d %s %s %d %d %s' . PHP_EOL,
            $answer->name,
            $answer->ttl,
            $answer->class,
            $answer->type,
            $answer->algorithm,
            $answer->fp_type,
            $answer->fingerprint
        );
    } else if ($answer instanceof \Net_DNS2_RR_RRSIG) {
        printf('Signed by %s: %s' . PHP_EOL, $answer->signname, $answer->signature);
    }
}

Aside: if your domain uses ECDSA algorithm or the SHA-256 fingerprint (like the example above), then you need the latest Net_DNS2 code which fixes Issue #39.

like image 110
bishop Avatar answered Sep 23 '22 10:09

bishop