PyDNSSEC is a DNSSEC toolkit for Python. It supports public/private keypairs generation and resource records signing and verification using DNSSEC.
The toolkit is based on dnspython (http://www.dnspython.org/), and uses PyCrypto (http://www.pycrypto.org/) for cryptography operations. Both packages are required by PyDNSSEC.
Features:
- Public/private keypairs generation
- Export to DNSSEC private key format
- Resource record signing
- Whole zone signing
- Both NSEC and NSEC3 are supported
DNSKEY algorithm support:
- RSAMD5 (1): not supported
- DSA (3): not supported
- RSASHA1 (5): supported
- DSANSEC3SHA1 (6): not supported
- RSASHA1NSEC3SHA1 (7): supported
- RSASHA256 (8): supported
- RSASHA512 (10): supported
- ECDSAP256SHA256 (13): planned
- ECDSAP384SHA384 (14): planned
Recent RFC-6944 defines which algorithms should be supported by DNSSEC implementations. As ECDSAP256SHA256 and ECDSAP384SHA384 are recommended, they will be implemented soon.
Key generation and exporting to DNSSEC private key files:
from dns import zone
import os
import dnssec
ksk = dnssec.PrivateDNSKEY.generate(
dnssec.DNSKEY_FLAG_ZONEKEY | dnssec.DNSKEY_FLAG_SEP,
dnssec.RSASHA256, bits=2048
)
ksk.to_file('example.com', os.path.dirname(__file__))
zsk = dnssec.PrivateDNSKEY.generate(
dnssec.DNSKEY_FLAG_ZONEKEY,
dnssec.RSASHA256, bits=1024
)
zsk.to_file('example.com', os.path.dirname(__file__))
Zone signing:
z = zone.from_file('example.com.zone', origin='example.com.')
dnssec.sign_zone(z, [ksk, zsk])
z.to_file('example.com.signed', relativize=False)
Zone unsigning (removes all DNSSEC specific resource records from it):
dnssec.unsign_zone(z)
z.to_file('example.com.unsigned', relativize=False)
The module is packed using distutils, so it can be easily installed by running following command from the package directory:
python setup.py install
PyCrypto and dnspython packages are required by PyDNSSEC.