I've been trying to figure out a way to validate DNS records in PHP (oa1
) but have come up short.
I can validate a whole domain with this library, but not the individual records: https://github.com/metaregistrar/php-dnssec-validator
In addition, that library only allows for a very small set of TLDs to be validated.
Is there another library out there that can handle this for me, or perhaps something else I should look into?
I've also found this: http://www.phpclasses.org/package/9031-PHP-Validate-DNSSEC-keys-and-calculate-the-DS-record.html
But I have no idea how to get the keys to use in their validating function.
Help please!
UPDATE
So, I ended up using this...
exec('host -t RRSIG ' . $domain, $output);
Returns the RRSIG, or lack thereof, with minimal hassle.
The PHP engine has a fixed set of DNS record types it supports, all defined by the type
parameter to dns_get_record
. You can double check this list by looking in the engine code that implements DNS queries.
Unfortunately, none of the DNSSEC records are in that pre-defined list. So, you need to rely on a library or an external tool.
I'd use Net_DNS2
, as it supports many DNSSEC RR. Example:
$google = new \Net_DNS2_Resolver(['nameservers' => ['8.8.8.8', '8.8.4.4']]);
$google->dnssec = true;
try {
$result = $google->query('kyhwana.org', 'SSHFP');
} catch(\Net_DNS2_Exception $ex) {
die($ex->getMessage());
}
foreach ($result->answer as $answer) {
if ($answer instanceof \Net_DNS2_RR_SSHFP) {
printf(
'%s %d %s %s %d %d %s' . PHP_EOL,
$answer->name,
$answer->ttl,
$answer->class,
$answer->type,
$answer->algorithm,
$answer->fp_type,
$answer->fingerprint
);
} else if ($answer instanceof \Net_DNS2_RR_RRSIG) {
printf('Signed by %s: %s' . PHP_EOL, $answer->signname, $answer->signature);
}
}
Aside: if your domain uses ECDSA algorithm or the SHA-256 fingerprint (like the example above), then you need the latest Net_DNS2 code which fixes Issue #39.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With