Description:

rcdss 0.9

RIPE NCC CDS scanner
This utility implements support for automated DNSSEC delegation
trust maintenance for the reverse DNS zones delegated by RIPE database.
It implements scanning for CDS records according to RFC
7344 and RFC
8078.
Only trust anchor update and remove is supported. Bootstrapping from
insecure to secure is not supported.
It reads a dump of DOMAIN objects from the RIPE database. Only domain objects
containing ds-rdata: attributes are processed.
CDS records are scanned using default resolver of the host, which MUST be
DNSSEC-aware and SHOULD perform DNSSEC-validation. The utility outputs RPSL-like
file listing objects that should be modified in the RIPE database. Since the
scanner works with dummyfied objects, output cannot be directly pushed into
the Database. Instead, it has to be used as a diff-file for a GET-modify-PUT
operation on the database.
DNSSEC algorithm support
The utility does all the special validations mandated by RFC 7344. These are
done using dnspython. Since these validations
provide similar level of security to standard DNSSEC validation process,
validation in the DNS resolver is not required.
Therefore, the list of supported algorithms is same as the list of supported
DNSSEC algorithms of dnspython.
Installation and usage
This package can be installed using pip,
preferably into its own
virtualenv.
$ python3 -m venv rcdss-venv
$ source rcdss-venv/bin/activate
(rcdss-venv)$ pip install rcdss
(rcdss-venv)$ rcdss --help

License

For personal and professional use. You cannot resell or redistribute these repositories in their original state.

Share

• Share on Facebook
• Share on Twitter