Skip to Content.
Sympa Menu

discuss - [opennic-discuss] API to show dnssec public key records

discuss AT lists.opennicproject.org

Subject: Discuss mailing list

List archive

[opennic-discuss] API to show dnssec public key records


Chronological Thread 
  • From: Jeff Taylor <shdwdrgn AT sourpuss.net>
  • To: OpenNIC discussion <discuss AT lists.opennicproject.org>
  • Subject: [opennic-discuss] API to show dnssec public key records
  • Date: Fri, 27 Jan 2017 14:27:46 -0700
  • Authentication-results: mx5.sourpuss.net; dmarc=none header.from=sourpuss.net
  • Dmarc-filter: OpenDMARC Filter v1.3.0 mx5.sourpuss.net E715D2D6CC

Several people have asked where to get the public key for our root zone to properly enable dnssec, so I threw this together...

https://173.160.58.205/keys?<tld>
https://api.opennicproject.org/keys/?<tld>

For the root zone, use a single period (.) or leave the tld blank. Note if you use the IP address, the SSL cert won't be valid, but that method should prevent any problems from dns hijacking.

This will show the public keys for any opennic TLD that has a dnssec record in our root zone, including the root itself. Due to overlap between old keys expiring and new ones being generate, some TLDs may show multiple records of each type... This is normal and all of the keys shown are valid at the time the query was made.

The TLDs which currently have dnssec records are:
root (.), chan, dyn, free, geek, gopher, indy, libre, o, opennic.glue, oss, parody, pirate

The information here can be verified against a simple dig command, and the records should match what you see on the API page.
# dig DNSKEY <tld>


  • [opennic-discuss] API to show dnssec public key records, Jeff Taylor, 01/27/2017

Archive powered by MHonArc 2.6.19.

Top of Page