#dns-records #dns #dnssec #dns-query #dns-server #rfc9102

no-std bin+lib dnssec-prover

A simple crate which allows for the creation and validation of transferrable proofs of entries in the DNS

23 releases (5 breaking)

0.6.5 Aug 1, 2024
0.6.3 Jul 10, 2024
0.5.1 Mar 2, 2024

#211 in Cryptography

Download history 5/week @ 2024-07-19 185/week @ 2024-07-26 118/week @ 2024-08-02 4/week @ 2024-08-23 210/week @ 2024-08-30 65/week @ 2024-09-06 43/week @ 2024-09-13 11/week @ 2024-09-20 618/week @ 2024-09-27 1283/week @ 2024-10-04 2238/week @ 2024-10-11 1975/week @ 2024-10-18 1477/week @ 2024-10-25 1386/week @ 2024-11-01

7,406 downloads per month

MIT/Apache

1MB
5K SLoC

This repo has a handful of APIs to create and verify RFC 9102 proofs.

It has minimal dependencies (bitcoin_hashes for hashing operations, hex_lit for some hex constants, and optionally tokio for networking in some APIs).

There are numerous APIs present:

  • Building the crate as a library provides a handful of DNS types, including (de)serialization for them.
  • Building the crate as a library with the validation feature also enables the validation module, which allows for verification of an RFC 9102 proof.
  • Building the crate as a library with the std feature enables the query module which can build an RFC 9102 proof using repeated queries to any standard DNS server (including over DoH).
  • The wasmpack directory and uniffi directory expose very simplified APIs to build and verify RFC 9102 proofs either in WASM (via wasm-pack, see-also the wasmpack/doh_lookup.js file which can build RFC 9102 proofs using repeated queries to a DoH server directly from JavaScript) or any language supported by uniffi.
  • Building the the http_proof_gen binary in the crate builds an HTTP server which responds to requests for RFC 9102 proofs in the form /dnssecproof?d=domain&t=rr_type, returning the binary proof containing and proving the Resource Record of type rr_type at domain.

The slower_smaller_binary feature slows proof validation down by 50%+ for a very marginal reduction in binary size, but those who are extremely binary size constrained may still find it useful.

See https://docs.rs/dnssec-prover for full API details on the Rust API. There's also a website which demonstrates the WASM build of this crate at https://http-dns-prover.as397444.net/ which allows for making validated queries.

Dependencies

~0–8MB
~64K SLoC