This repository contains source code for the software used by PTI to manage the DNSSEC Key Signing Key (KSK) for the Root Zone.

More information about Root Zone Management is available at https://www.iana.org/domains/root.

This tool depends on the following software:

• Python 3.7 with mypy
• pykcs11
• cryptography (for DNSSEC validation of KSRs)
• PyYAML (to load configuration files)
• SWIG (for pykcs11)
• Voluptuous

For the KSR submission webserver (wksr), the following extras are required:

• Flask
• pyOpenSSL

For testing and independent DNSSEC validation of KSRs, the following modules are used:

• dnspython
• pycryptodome

apt-get install python3 python3-dev python3-venv swig

To create a virtual environment for testing, use make venv.

N.B. You will need to ensure that SWIG is installed, as pykcs11 depends on it.

• Code formatted using Black and isort. Use make reformat to tidy up source code before committing changes.
• Code documentation through the use of Doxygen.
• Documentation include core method's description, arguments and return values in line with the code.
• The code shall be a PEP 8 compliant and docstring conventions PEP 257.

• The Python XML library (Expat) is not used for reading/writing XML data in order to limit the amount of code.
• DNS Python is only used for testing as we do not need to parse or output DNS data. The required functions for signing are provided by PKCS#11 and the few functions needed for DNSSEC processing are reimplemented.
• Flask is used as a webserver in wksr. ICANN uses Django for several projects, but since this project only requires a very small subset of Django functionality Flask has been considered a better fit. From an auditing perspective, Flask consists of ca 10k source code lines whereas Django consist of ca 240k source code lines.
• YAML was chosen as the configuration file format for increased readability compared to JSON.