OpenDIVE is a Python client library for the DIVE protocol (Domain-based Integrity Verification Enforcement), a cryptographic protocol that leverages DNSSEC to verify the integrity and authenticity of web resources. DIVE operates as an additional security layer above HTTP/HTTPS, ensuring that resources are signed and validated against DNS-published keys.
- DNSSEC-backed verification: Uses DNS TXT records (
_dive,_divekey) to publish policies and public keys. - Cryptographic signatures: Supports Ed25519 and Ed448 for signing, and SHA-256/384/512 for hashing.
- CLI tool: Includes commands for verification, key generation, signing, and DNS inspection.
- Incremental deployment: Works alongside existing infrastructure without breaking non-DIVE clients.
- Reporting: Sends verification failure reports to a configurable endpoint.
pip install opendive-clientgit clone https://github.com/diveprotocol/opendive-client.git
cd opendive-client
pip install -e .- Python 3.8+
dnspython(DNSSEC resolution)cryptography(Ed25519/Ed448 support)httpx(HTTP client)click(CLI)
OpenDIVE provides a CLI for common operations:
# Verify a resource
opendive verify https://example.com/file.tar.gz
# Download a resource (only if DIVE verification passes)
opendive download https://example.com/file.tar.gz
# Generate a key pair
opendive keygen --alg ed25519 --key-id mykey --domain example.com
# Sign a file
opendive sign myfile.tar.gz --private-key <base64_private_key> --key-id mykey
# Inspect DNS records
opendive dns example.com --key-id mykeyfrom dive.client import DiveClient
client = DiveClient(require_dnssec=True)
result = client.verify("https://example.com/file.tar.gz")
if result.accepted:
print("Resource is authentic!")
else:
print(f"DIVE rejected resource: {result.failure_reason}")- Draft RFC (Work in Progress)
- DIVE Website
- CLI Reference (TODO)
- Python API (TODO)
pytest tests/Pull requests are welcome! For major changes, please open an issue first.
MIT License. See LICENSE for details.
For security issues, see SECURITY.md.
- Author: Matéo Florian CALLEC
- Email: mateo@callec.net
- GitHub: @diveprotocol
