15 releases (4 breaking)
new 0.5.3 | Apr 14, 2024 |
---|---|
0.5.2 | Apr 3, 2024 |
0.5.1 | Mar 2, 2024 |
0.5.0 | Feb 26, 2024 |
0.1.0 | Feb 5, 2024 |
#423 in Cryptography
161 downloads per month
1MB
4.5K
SLoC
The DNS provides a single, global, hierarchical namespace with (when DNSSEC is used) cryptographic guarantees on all of its data.
This makes it incredibly powerful for resolving human-readable names into arbitrary, secured data.
Unlike TLS, this cryptographic security provides transferable proofs which can convince an offline device, using simple cryptographic primitives and a single root trusted key, of the validity of DNS data.
This crate implements the creation and validation of such proofs, using the format from RFC 9102 to create transferable proofs of DNS entries.
It is no-std (but requires alloc
) and seeks to have minimal dependencies and a reasonably
conservative MSRV policy, allowing it to be used in as many places as possible.
Most of the crate's logic is feature-gated, and all dependencies are optional:
- By default, the
validate
feature is set, usingring
to validate DNSSEC signatures and proofs using thevalidation
module. - The
std
feature enables thequery
module, allowing for the building of proofs by querying a recursive resolver over TCP. - The
tokio
feature further enables async versions of thequery
methods, doing the same querying async usingtokio
's TCP streams. - Finally, the crate can be built as a binary using the
build_server
feature, responding to queries over HTTP GET calls to/dnssecproof?d=domain.name.&t=RecordType
with DNSSEC proofs.
Note that this library's MSRV is 1.64 for normal building, however builds fine on 1.63 (and
possibly earlier) when RUSTC_BOOTSTRAP=1
is set, as it relies on the
const_slice_from_raw_parts
feature.
Dependencies
~0–11MB
~80K SLoC