Im writing a script to verify rrsigs using dnspython but something is wrong with my code. The following is a snippet and its accompanying error message:
domain = 'iana.org'
server = '8.8.8.8'
qname = dns.name.from_text(domain)
# get DNSKEYs
DNSKEY_query = dns.message.make_query(qname, dns.rdatatype.DNSKEY, want_dnssec=True)
(DNSKEY_response, _) = dns.query.udp_with_fallback(DNSKEY_query, server)
dnskey_set, dnskey_sig = DNSKEY_response.answer
# get RRset and RRsig to verify
query = dns.message.make_query(qname, dns.rdatatype.NS, want_dnssec=True)
(response, _) = dns.query.udp_with_fallback(query, server)
rrset, rrsig = response.answer
dns.dnssec.validate(rrset, rrsig, {dns.name.empty: dnskey_set}, None)
Error message.
Traceback (most recent call last):
File "dnssec_validator.py", line 107, in <module>
dns.dnssec.validate(rrset, rrsig, {dns.name.empty: dnskey_set}, None)
File "/home/user/PycharmProjects/RPKIDNSSEC/venv/lib/python3.6/site-packages/dns/dnssec.py", line 494, in _validate
raise ValidationFailure("no RRSIGs validated")
dns.dnssec.ValidationFailure: no RRSIGs validated
