[getdns-api] some early API comments
Evan Hunt
each
Mon Jan 21 22:53:50 CET 2013
Nice work on the API so far, Paul. I may have more as I reread more
carefully, but a couple of early thoughts:
While one rarely needs to specify the class of a query, it is sometimes
useful (e.g., for version.bind/CHAOS/TXT), so there ought to be a
request_class parameter for getdns().
I see that others have already pointed out out the potential problems
in passing QNAME as a C-style string. You might consider a a canonicalized
getdns_qname type and a simple function for normalizing strings into that
format; similar functions could convert in_addr and in6_addr to
"in-addr.arpa" and "ip6.arpa" qnames.
It would be nifty to be able to secure queries with TSIG or SIG(0),
especially if there were any chance of this API being extended in the
future to support DNS update, but useful even with just queries, especially
if (as section 7.4 implies) the API will support AXFR/IXFR queries.
The design of the DNSSEC extensions appears to assume we'll be doing our
own validation from the root (or from a designated trust anchor), which is
useful and necessary, but people with a trustworthy connection to a
validating name server ("trustworthy" here meaning running on localhost, or
with a first-hop connection secured by TSIG/SIG(0)) might want to rely
instead on their resolver to do the validation, but be interested in the
value of the AD bit set in the response. Or, they might want to set the
CD bit on queries to bypass validation. Are there mechanisms for this?
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the spec
mailing list