Crate dnssec_prover

Source
Expand description

The DNS provides a single, global, hierarchical namespace with (when DNSSEC is used) cryptographic guarantees on all of its data.

This makes it incredibly powerful for resolving human-readable names into arbitrary, secured data.

Unlike TLS, this cryptographic security provides transferable proofs which can convince an offline device, using simple cryptographic primitives and a single root trusted key, of the validity of DNS data.

This crate implements the creation and validation of such proofs, using the format from RFC 9102 to create transferable proofs of DNS entries.

It is no-std (but requires alloc) and seeks to have minimal dependencies and a reasonably conservative MSRV policy, allowing it to be used in as many places as possible.

Most of the crate’s logic is feature-gated, and all dependencies are optional:

  • By default, the validation feature is set, allowing to validate DNSSEC signatures and proofs using the [validation] module.
  • The std feature enables the query module, allowing for the building of proofs by querying a recursive resolver over TCP.
  • The tokio feature further enables async versions of the query methods, doing the same querying async using tokio’s TCP streams.
  • Finally, the crate can be built as a binary using the build_server feature, responding to queries over HTTP GET calls to /dnssecproof?d=domain.name.&t=RecordType with DNSSEC proofs.

The slower_smaller_binary feature slows proof validation down by 50%+ for a very marginal reduction in binary size, but those who are extremely binary size constrained may still find it useful.

Modules§

query
This module exposes utilities for building DNSSEC proofs by directly querying a recursive resolver.
rr
Resource Records are the fundamental type in the DNS - individual records mapping a name to some data.
ser
Logic to read and write resource record (streams)

Constants§

MAX_PROOF_STEPS
The maximum number of requests we will make when building a proof or the maximum number of rr::RRSig sets we’ll validate records from when validating proofs.