<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif;">
<div><br>
</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt; text-align:left; color:black; BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT: 0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Gowri V <<a href="mailto:gmadkat1@gmail.com">gmadkat1@gmail.com</a>><br>
<span style="font-weight:bold">Date: </span>Wednesday, April 1, 2015 at 10:09 AM<br>
<span style="font-weight:bold">To: </span>Visweswaran Gowri <<a href="mailto:gvisweswaran@verisign.com">gvisweswaran@verisign.com</a>><br>
<span style="font-weight:bold">Subject: </span>Fwd: [getdns-api] How do the DNSSEC extensions affect the response dict<br>
</div>
<div><br>
</div>
<div>
<div>
<div dir="ltr"><br>
<div class="gmail_quote">---------- Forwarded message ----------<br>
From: <b class="gmail_sendername">Willem Toorop</b> <span dir="ltr"><<a href="mailto:willem@nlnetlabs.nl">willem@nlnetlabs.nl</a>></span><br>
Date: Tue, Feb 18, 2014 at 4:09 AM<br>
Subject: [getdns-api] How do the DNSSEC extensions affect the response dict<br>
To: "<a href="mailto:getdns-api@vpnc.org">getdns-api@vpnc.org</a>" <<a href="mailto:getdns-api@vpnc.org">getdns-api@vpnc.org</a>><br>
<br>
<br>
Dear list,<br>
<br>
Paul suggested to post our DNSSEC implementation choices on the list for<br>
discussion, so here it is.<br>
<br>
>From the specification it was not completely clear how DNSSEC affects<br>
the response dict. Should individual resource records be stripped from<br>
the packets/replies or should whole replies be included or excluded from<br>
the response dict based on the DNSSEC status of the "answer" within?<br>
<br>
Currently we've chosen to implement the latter, inclusion of *replies*<br>
based on their DNSSEC status, so that:<br>
<br>
- All DNSSEC extension add the "dnssec_status" to the reply dicts.<br>
(this point is already mentioned in the spec)<br>
<br>
- With "dnssec_return_status" and "dnssec_return_only_secure", the<br>
"status" in the response dict is GETDNS_RESPSTATUS_NO_NAME when all<br>
replies are NXDOMAIN and/or BOGUS.<br>
<br>
- With "dnssec_return_only_secure", the "status" in the response dict<br>
is GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when non of the replies are<br>
SECURE, even when all were NXDOMAIN.<br>
<br>
- When "dnssec_return_validation_chain" is set, besides the validation<br>
chain, all replies are returned, even when other DNSSEC extensions<br>
are set that would otherwise exclude these replies. This is the only<br>
modus were the "dnssec_status" can contain GETDNS_DNSSEC_BOGUS.<br>
<br>
- When the "dnssec_return_status" extension is set (and<br>
"dnssec_return_validation_chain" is not), only non-bogus replies<br>
are returned.<br>
<br>
- When the "dnssec_return_only_secure" extension is set (and<br>
"dnssec_return_validation_chain" is not), only secure<br>
replies are returned.<br>
<br>
_______________________________________________<br>
getdns-api mailing list<br>
<a href="mailto:getdns-api@vpnc.org">getdns-api@vpnc.org</a><br>
</div>
<br>
</div>
</div>
</div>
</span>
</body>
</html>