dnsjava has DNSSEC support. I'd like to do a simple Lookup, just like the Lookup examples ( http://www.xbill.org/dnsjava/dnsjava-current/examples.html ), but have dnsjava tell me if it validates DNSSEC. (Or, raise an exception if it doesn't.)
I've done some simple testing and confirmed that, by default, dnsjava will not do any DNSSEC validation.
How can I tell dnsjava to do DNSSEC validation on a Lookup?
With the current version (Jan 2024) of dnsjava you can do as follows:
import org.xbill.DNS.Lookup;
import org.xbill.DNS.Record;
import org.xbill.DNS.SimpleResolver;
import org.xbill.DNS.Type;
import org.xbill.DNS.dnssec.ValidatingResolver;
import java.io.ByteArrayInputStream;
import java.net.InetAddress;
import java.nio.charset.StandardCharsets;
public class Main {
static String ROOT = ". IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
public static void main(String[] args) throws Exception {
SimpleResolver recursiveNameServer = new SimpleResolver(InetAddress.getByName("8.8.8.8"));
ValidatingResolver securityAwareResolver = new ValidatingResolver(recursiveNameServer);
securityAwareResolver.loadTrustAnchors(new ByteArrayInputStream(ROOT.getBytes(StandardCharsets.US_ASCII)));
Lookup lookup = new Lookup("dnssec-failed.org", Type.NS);
lookup.setResolver(securityAwareResolver);
Record[] records = lookup.run();
int result = lookup.getResult();
if (result != Lookup.SUCCESSFUL) {
System.out.println("Failure");
} else {
System.out.println("Success");
}
}
}