Chain of Trust - but verify... by andrewxhill

Provide a domain and a TXT content flag you want to discover and then verify all the way to ICANN.

On boom.fyi, we have a TXT record with data-cert=hello_world

domain = "boom.fyi"

Collect data for our target TXT record flag (including all sigs etc). Then collect data for the entire chain back to root.

chain_data = collect_record(domain, 'data-cert=')
chain_data = collect_chain_data(domain, chain_data)

This all is stored off in chain_data.json

Now, verify.

Check that the TXT record was signed correct
Check that the key that signed it came from the parent zoon
Check that that signature was correct
And check that it’s key came from the parent zoon
Uncover the turtles
All the way down to the root

verify_chain(domain, data)

Finally, it makes sure the last step was signed by keys that came from the root we already know. Stored in root_rrset.json Since no exceptions were thrown, we’ll finally show what the value of our flag was set to:

show_verified_message(domain, data)

Chain of Trust - but verify...

Chain Of Trust (but verify).ipynb

chain_data.json

root_anchors.json

root_rrset.json