As the title says I want to programmatically check if a DNS response for a domain are protected with DNSSEC.
How could I do this?
It would be great, if there is a pythonic solution for this.
UPDATE: changed request to response, sorry for the confusion
Using a DNS resolver (e.g.
dnspython
), you can query the domain for its DNSKEY RRset and turn on theDO
(dnssec OK) query flag. If the query succeeds, the answer will have theAD
(authenticated data) flag set and will contain the RRSIG signatures for the zone (if it is signed).Update: a basic example using
dnspython
To see if a particular request is protected, look at the DO flag in the request packet. Whatever language and library you use to interface to DNS should have an accessor for it (it may be called something else, like "dnssec").
The first answer is correct but incomplete if you want to know if a certain zone is protected. The described procedure will tell you if the zone's own data is signed. In order to check that the delegation to the zone is protected, you need to ask the parent zone's name servers for a (correctly signed) DS record for the zone you're interested in.