[Stub-resolver] FW: [getdns-api] How do the DNSSEC extensions affect the response dict
Visweswaran, Gowri
gvisweswaran at verisign.com
Wed Apr 1 16:19:04 CEST 2015
From: Gowri V <gmadkat1 at gmail.com<mailto:gmadkat1 at gmail.com>>
Date: Wednesday, April 1, 2015 at 10:09 AM
To: Visweswaran Gowri <gvisweswaran at verisign.com<mailto:gvisweswaran at verisign.com>>
Subject: Fwd: [getdns-api] How do the DNSSEC extensions affect the response dict
---------- Forwarded message ----------
From: Willem Toorop <willem at nlnetlabs.nl<mailto:willem at nlnetlabs.nl>>
Date: Tue, Feb 18, 2014 at 4:09 AM
Subject: [getdns-api] How do the DNSSEC extensions affect the response dict
To: "getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>" <getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>>
Dear list,
Paul suggested to post our DNSSEC implementation choices on the list for
discussion, so here it is.
>From the specification it was not completely clear how DNSSEC affects
the response dict. Should individual resource records be stripped from
the packets/replies or should whole replies be included or excluded from
the response dict based on the DNSSEC status of the "answer" within?
Currently we've chosen to implement the latter, inclusion of *replies*
based on their DNSSEC status, so that:
- All DNSSEC extension add the "dnssec_status" to the reply dicts.
(this point is already mentioned in the spec)
- With "dnssec_return_status" and "dnssec_return_only_secure", the
"status" in the response dict is GETDNS_RESPSTATUS_NO_NAME when all
replies are NXDOMAIN and/or BOGUS.
- With "dnssec_return_only_secure", the "status" in the response dict
is GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when non of the replies are
SECURE, even when all were NXDOMAIN.
- When "dnssec_return_validation_chain" is set, besides the validation
chain, all replies are returned, even when other DNSSEC extensions
are set that would otherwise exclude these replies. This is the only
modus were the "dnssec_status" can contain GETDNS_DNSSEC_BOGUS.
- When the "dnssec_return_status" extension is set (and
"dnssec_return_validation_chain" is not), only non-bogus replies
are returned.
- When the "dnssec_return_only_secure" extension is set (and
"dnssec_return_validation_chain" is not), only secure
replies are returned.
_______________________________________________
getdns-api mailing list
getdns-api at vpnc.org<mailto:getdns-api at vpnc.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://getdnsapi.net/pipermail/spec/attachments/20150401/8a1aa45a/attachment.html>
-------------- next part --------------
_______________________________________________
stub-resolver mailing list
stub-resolver at lists.verisignlabs.com
https://lists.verisignlabs.com/mailman/listinfo/stub-resolver
More information about the spec
mailing list