Signing of a zone fileΒΆ

This example shows how to sign the content of the given zone file

# This example shows how to sign a given zone file with private key

import ldns
import sys, os, time

#private key TAG which identifies the private key 
#use in order to obtain private key
keytag = 30761

# Read zone file

zone = ldns.ldns_zone.new_frm_fp(open("zone.txt","r"), None, 0, ldns.LDNS_RR_CLASS_IN)
soa = zone.soa()
origin = soa.owner()

# Prepare keys

#Read private key from file
keyfile = open("key-%s-%d.private" % (origin, keytag), "r");
key = ldns.ldns_key.new_frm_fp(keyfile)

#Read public key from file
pubfname = "key-%s-%d.key" % (origin, keytag)
pubkey = None
if os.path.isfile(pubfname):
   pubkeyfile = open(pubfname, "r");
   pubkey,_,_,_ = ldns.ldns_rr.new_frm_fp(pubkeyfile)

if not pubkey:
   #Create new public key
   pubkey = key.key_to_rr()

#Set key expiration
key.set_expiration(int(time.time()) + 365*60*60*24) #365 days

#Set key owner (important step)


# Sign zone

#Create keylist and push private key
keys = ldns.ldns_key_list()

#Add SOA
signed_zone = ldns.ldns_dnssec_zone()

#Add RRs
for rr in zone.rrs().rrs():
   print "RR:",str(rr),

added_rrs = ldns.ldns_rr_list()
status = signed_zone.sign(added_rrs, keys)
if (status == ldns.LDNS_STATUS_OK):

In order to be able sign a zone file, you have to generate a key-pair using Don’t forget to modify tag number.

Signing consists of three steps

  1. In the first step, the content of a zone file is readed and parsed. This can be done using ldns.ldns_zone class.
  2. In the second step, the private and public key is readed and public key is inserted into zone (as DNSKEY).
  3. In the last step, the DNSSEC zone instace is created and all the RRs from zone file are copied here. Then, all the records are signed using ldns.ldns_zone.sign() method. If the signing was successfull, the content of DNSSEC zone is written to a file.

Previous topic

Generate public/private key pair

Next topic

LDNS module documentation