diff options
Diffstat (limited to 'contrib/python/docs/source/examples/example2.rst')
| -rw-r--r-- | contrib/python/docs/source/examples/example2.rst | 100 |
1 files changed, 100 insertions, 0 deletions
diff --git a/contrib/python/docs/source/examples/example2.rst b/contrib/python/docs/source/examples/example2.rst new file mode 100644 index 000000000000..b1734386e7de --- /dev/null +++ b/contrib/python/docs/source/examples/example2.rst @@ -0,0 +1,100 @@ +.. _ex_dnssec: + +Querying DNS-SEC validators +=========================== + +This basic example shows how to query validating resolver and +evaluate answer. + +Resolving step by step +------------------------ + +For DNS queries, we need to initialize ldns resolver (covered in previous example). + +:: + + # Create resolver + resolver = ldns.ldns_resolver.new_frm_file("/etc/resolv.conf") + resolver.set_dnssec(True) + + # Custom resolver + if argc > 2: + # Clear previous nameservers + ns = resolver.pop_nameserver() + while ns != None: + ns = resolver.pop_nameserver() + ip = ldns.ldns_rdf.new_frm_str(sys.argv[2], ldns.LDNS_RDF_TYPE_A) + resolver.push_nameserver(ip) + +Note the second line :meth:`resolver.set_dnssec`, which enables DNSSEC OK bit +in queries in order to get meaningful results. + +As we have resolver initialized, we can start querying for domain names : + +:: + + # Resolve DNS name + pkt = resolver.query(name, ldns.LDNS_RR_TYPE_A, ldns.LDNS_RR_CLASS_IN) + if pkt and pkt.answer(): + +Now we evaluate result, where two flags are crucial : + + * Return code + * AD flag (authenticated) + +When return code is `SERVFAIL`, it means that validating resolver marked requested +name as **bogus** (or bad configuration). + +**AD** flag is set if domain name is authenticated **(secure)** or false if +it's insecure. + +Complete source code +-------------------- + + .. literalinclude:: ../../../examples/ldns-dnssec.py + :language: python + + +Testing +------- + +In order to get meaningful results, you have to enter IP address of validating +resolver or setup your own (see howto). + +Execute `./example2.py` with options `domain name` and `resolver IP`, +example: + +:: + + user@localhost# ./example2.py www.dnssec.cz 127.0.0.1 # Secure (Configured Unbound running on localhost) + user@localhost# ./example2.py www.rhybar.cz 127.0.0.1 # Bogus + +Howto setup Unbound as validating resolver +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Install Unbound according to instructions. +Modify following options in `unbound.conf` (located in `/etc` or `/usr/local/etc`)/ + + +Uncomment `module-config` and set `validator` before iterator. + +:: + + module-config: "validator iterator" + +Download DLV keys and update path in `unbound.conf`:: + + # DLV keys + # Download from http://ftp.isc.org/www/dlv/dlv.isc.org.key + dlv-anchor-file: "/usr/local/etc/unbound/dlv.isc.org.key" + +Update trusted keys (`.cz` for example):: + + # Trusted keys + # For current key, see www.dnssec.cz + trusted-keys-file: "/usr/local/etc/unbound/trusted.key" + +Now you should have well configured Unbound, so run it:: + + user@localhost# unbound -dv + |