[getdns-api] How do the DNSSEC extensions affect the response dict
Willem Toorop
willem at nlnetlabs.nl
Tue Feb 18 10:09:58 CET 2014
Dear list,
Paul suggested to post our DNSSEC implementation choices on the list for
discussion, so here it is.
>From the specification it was not completely clear how DNSSEC affects
the response dict. Should individual resource records be stripped from
the packets/replies or should whole replies be included or excluded from
the response dict based on the DNSSEC status of the "answer" within?
Currently we've chosen to implement the latter, inclusion of *replies*
based on their DNSSEC status, so that:
- All DNSSEC extension add the "dnssec_status" to the reply dicts.
(this point is already mentioned in the spec)
- With "dnssec_return_status" and "dnssec_return_only_secure", the
"status" in the response dict is GETDNS_RESPSTATUS_NO_NAME when all
replies are NXDOMAIN and/or BOGUS.
- With "dnssec_return_only_secure", the "status" in the response dict
is GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when non of the replies are
SECURE, even when all were NXDOMAIN.
- When "dnssec_return_validation_chain" is set, besides the validation
chain, all replies are returned, even when other DNSSEC extensions
are set that would otherwise exclude these replies. This is the only
modus were the "dnssec_status" can contain GETDNS_DNSSEC_BOGUS.
- When the "dnssec_return_status" extension is set (and
"dnssec_return_validation_chain" is not), only non-bogus replies
are returned.
- When the "dnssec_return_only_secure" extension is set (and
"dnssec_return_validation_chain" is not), only secure
replies are returned.
_______________________________________________
getdns-api mailing list
getdns-api at vpnc.org
More information about the spec
mailing list