compute_key_tag(rdata_wire) -> tag

Compute DNSKEY key tag from wire-format RDATA

encode_dnskey_rdata(dnskey) -> wire_bytes

Encode DNSKEY rdata fields to wire-format bytes

encode_name_canonical(name) -> wire_bytes

Encode a domain name in lowercase uncompressed wire form

encode_rdata_canonical(rr) -> wire_bytes

Re-encode RDATA in canonical form (lowercased names, no compression)

build_canonical_rrset(owner, rrtype, rrclass, original_ttl, rr_list) -> wire_bytes

Build canonical wire form of an RRset for signature verification

build_sig_data(rrsig_rdata, canonical_rrset_wire) -> sig_data

Build the data that is signed by an RRSIG (RRSIG fields + canonical RRset)

parse_rsa_public_key(pubkey_bytes) -> n, e, err

Parse RSA public key from DNSKEY public_key field

verify_signature(algorithm, sig_data, signature, dnskey_rdata) -> ok, err

Verify a cryptographic signature using the appropriate algorithm

verify_rrsig(rrsig_rr, rrset, dnskey_rr, precomputed_tag) -> ok, err

Verify an RRSIG against an RRset using a DNSKEY

verify_ds(ds_rr, dnskey_rr) -> ok, err

Verify a DS record against a DNSKEY record

validate_rrset(rrset, rrsig_list, dnskey_list) -> ok, err

Validate an RRset using available RRSIGs and DNSKEYs

validate_dnskey_rrset(dnskey_records, dnskey_rrsigs, ds_records) -> ok, err

Validate a DNSKEY RRset using DS records (DS → KSK → RRSIG chain)

validate_nsec_nodata(nsec_records, qname, qtype) -> ok, err

Validate NSEC proves NODATA for qname/qtype

validate_nsec_nxdomain(nsec_records, qname) -> ok, err

Validate NSEC proves NXDOMAIN for qname