Skip to content

DNSSEC

DNSSEC

The DNSSEC module walks and validates the DNS authentication chain itself, anchored on the IANA root trust anchors. It does not trust a resolver's AD bit — it checks every signature. The protocol work is this package's; the signature math is delegated to OpenSSL and libsodium.

  • Validation — the chain walk, validate() vs. validateRecords(), and the three outcomes.
  • Algorithms — the supported signing algorithms and DS digest types, and what is deliberately excluded.
  • Threat model — the deny-by-default matrix and the honest security posture.