[Stub-resolver] FW: [getdns-api] How do the DNSSEC extensions affect the response dict

Visweswaran, Gowri gvisweswaran at verisign.com
Wed Apr 1 16:19:04 CEST 2015 


From: Gowri V <gmadkat1 at gmail.com<mailto:gmadkat1 at gmail.com>>
Date: Wednesday, April 1, 2015 at 10:09 AM
To: Visweswaran Gowri <gvisweswaran at verisign.com<mailto:gvisweswaran at verisign.com>>
Subject: Fwd: [getdns-api] How do the DNSSEC extensions affect the response dict


---------- Forwarded message ----------
From: Willem Toorop <willem at nlnetlabs.nl<mailto:willem at nlnetlabs.nl>>
Date: Tue, Feb 18, 2014 at 4:09 AM
Subject: [getdns-api] How do the DNSSEC extensions affect the response dict
To: "getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>" <getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>>


Dear list,

Paul suggested to post our DNSSEC implementation choices on the list for
discussion, so here it is.

>From the specification it was not completely clear how DNSSEC affects
the response dict.  Should individual resource records be stripped from
the packets/replies or should whole replies be included or excluded from
the response dict based on the DNSSEC status of the "answer" within?

Currently we've chosen to implement the latter, inclusion of *replies*
based on their DNSSEC status, so that:

- All DNSSEC extension add the "dnssec_status" to the reply dicts.
  (this point is already mentioned in the spec)

- With "dnssec_return_status" and "dnssec_return_only_secure", the
  "status" in the response dict is GETDNS_RESPSTATUS_NO_NAME when all
  replies are NXDOMAIN and/or BOGUS.

- With "dnssec_return_only_secure", the "status" in the response dict
  is GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when non of the replies are
  SECURE, even when all were NXDOMAIN.

- When "dnssec_return_validation_chain" is set, besides the validation
  chain, all replies are returned, even when other DNSSEC extensions
  are set that would otherwise exclude these replies.  This is the only
  modus were the "dnssec_status" can contain GETDNS_DNSSEC_BOGUS.

- When the "dnssec_return_status" extension is set (and
  "dnssec_return_validation_chain" is not), only non-bogus replies
  are returned.

- When the "dnssec_return_only_secure" extension is set (and
  "dnssec_return_validation_chain" is not), only secure
  replies are returned.

_______________________________________________
getdns-api mailing list
getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://getdnsapi.net/pipermail/spec/attachments/20150401/8a1aa45a/attachment.html>
-------------- next part --------------
_______________________________________________
stub-resolver mailing list
stub-resolver at lists.verisignlabs.com
https://lists.verisignlabs.com/mailman/listinfo/stub-resolver

More information about the spec mailing list