1 //! The DNS provides a single, global, hierarchical namespace with (when DNSSEC is used)
2 //! cryptographic guarantees on all of its data.
4 //! This makes it incredibly powerful for resolving human-readable names into arbitrary, secured
7 //! Unlike TLS, this cryptographic security provides transferable proofs which can convince an
8 //! offline device, using simple cryptographic primitives and a single root trusted key, of the
9 //! validity of DNS data.
11 //! This crate implements the creation and validation of such proofs, using the format from RFC
12 //! 9102 to create transferable proofs of DNS entries.
14 //! It is no-std (but requires `alloc`) and seeks to have minimal dependencies and a reasonably
15 //! conservative MSRV policy, allowing it to be used in as many places as possible.
17 //! Most of the crate's logic is feature-gated, and *all dependencies are optional*:
18 //! * By default, the `validate` feature is set, using `ring` to validate DNSSEC signatures and
19 //! proofs using the [`validation`] module.
20 //! * The `std` feature enables the [`query`] module, allowing for the building of proofs by
21 //! querying a recursive resolver over TCP.
22 //! * The `tokio` feature further enables async versions of the [`query`] methods, doing the same
23 //! querying async using `tokio`'s TCP streams.
24 //! * Finally, the crate can be built as a binary using the `build_server` feature, responding to
25 //! queries over HTTP GET calls to `/dnssecproof?d=domain.name.&t=RecordType` with DNSSEC
28 #![deny(missing_docs)]
29 #![deny(rustdoc::broken_intra_doc_links)]
30 #![deny(rustdoc::private_intra_doc_links)]
32 #![cfg_attr(not(feature = "std"), no_std)]
38 #[cfg(feature = "validation")]
41 #[cfg(feature = "std")]