def get_records(host, port, proto='tcp'): resolver = Resolver() resolver.set_flags(flags.AD + flags.RD) name = '_{}._{}.{}'.format(port, proto, host) try: rrset = resolver.query(name, rdtype=rdatatype.TLSA) except NXDOMAIN: log.debug('No record found for %s', name) raise except NoNameservers: log.debug('No unbroken server for resolving %s', name) # It may be because there is a bad dnssec key resolver.set_flags(flags.CD + flags.RD) rrset = resolver.query(name, rdtype=rdatatype.TLSA) log.debug('Without validation we have an answer: %s', rrset) for record in rrset: log.debug(record) secure = rrset.response.flags & flags.AD == flags.AD if not secure: log.warn('Not DNSSEC signed!') return TLSAValidator([r for r in rrset], secure)
class CustomResolver(object): def __init__(self): self.resolver = Resolver() self.resolver.use_edns(0, 0, 4096) self.resolver.set_flags(flags.AD + flags.RD) self.degraded = Resolver() self.degraded.use_edns(0, 0, 4096) self.degraded.set_flags(flags.CD + flags.RD) def query(self, fqdn, rdatatype=rdt.A, degraded=False): log.debug('Query %s %s', fqdn, rdatatype) try: return self.resolver.query(fqdn, rdatatype) except NoNameservers: if degraded: return self.degraded.query(fqdn, rdatatype) raise except NXDOMAIN: if degraded: return self.degraded.query(fqdn, rdatatype) return None def srv(self, name, domainname, proto='tcp'): fqdn = '_{}._{}.{}'.format(name, proto, domainname) return self.query(fqdn, rdt.SRV) def tlsa(self, hostname, port, proto='tcp'): fqdn = '_{}._{}.{}'.format(port, proto, hostname) return self.query(fqdn, rdt.TLSA) def mx(self, domainname): return self.query(domainname, rdt.MX)