[getdns-users] getdns_validate_dnssec() Example?
Willem Toorop
willem at nlnetlabs.nl
Wed May 6 12:41:58 CEST 2015
Hi Scott,
I suppose the API could be a bit more clear on the input of this
function yes.
getdns_return_t getdns_validate_dnssec(
getdns_list *record_to_validate,
getdns_list *bundle_of_support_records,
getdns_list *trust_anchor_records
);
- record_to_validate is a list of RR-dicts with companion RRSIG-RR-dicts
which will be validated.
- trust_anchor_records is the list of trusted DNSKEYs or DS'es RR-dicts.
They do *not* need companion RRSIG-RR-dicts, as they are already
trusted. You can get the system default trusted keys with the
getdns_root_trust_anchor() function.
- bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
trust_anchors to the RR-dicts to validate.
If you would do a query with the "dnssec_return_validation_chain"
extension, you can use the "validation_chain" key in the response dict
as the bundle_of_support_records parameter ro getdns_validate_dnssec.
You can use a "answer" section of a reply as the record_to_validate
parameter; Or the "authority" section in case of NXDOMAIN.
Note however, that the record_to_validate list MUST have companion
RRSIG-RR-dicts for all its RR-dicts. getdns_validate_dnssec does not
know the zone-cuts and thus cannot handle insecure delegations! It
cannot determine if missing RRSIGs are sound (by way of insecure
delegation: GETDNS_DNSSEC_INSECURE) or not (GETDNS_DNSSEC_BOGUS)!
Also, building the wireformat data from RR-dicts doesn't work all that
well currently. getdns_validate_dnssec can now validate only RR-dicts,
that came from the wire and have a sound "rdata_raw" attribute. But, if
the name contains compressed names (like with NS, MX and CNAME records)
then the "rdata_raw" is not usable either, and getdns_validate_dnssec
simply does not work!
This is a bug and is top on my to do list to fix, as native stub dnssec
validation depends on it's correct working.
Hope this helps a bit.
There used to be an test program for getdns_validate_dnssec:
https://github.com/getdnsapi/getdns/blob/v0.1.4/src/test/tests_dnssec.c
But I removed all the tests_*.c programs I contributed myself in favor
of getdns_query... (which in turn never got the getdns_validate_dnssec
test function, but alas).
-- Willem
Op 05-05-15 om 14:35 schreef Hollenbeck, Scott:
>> -----Original Message-----
>> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Mankin,
>> Allison
>> Sent: Monday, May 04, 2015 12:09 PM
>> To: libgetdns users list
>> Subject: Re: [getdns-users] getdns_validate_dnssec() Example?
>>
>> Scott,
>>
>> I think this extension may not be complete in the C library. It is a
>> more recent arrival to the API.
>>
>> It's been on my TODO list to check details on this.
>
> Thanks, Allison. I've made progress to the point where my call to getdns_validate_dnssec() is returning a 403 (I expect a 400), so I'm passing it the right types of data structures. Now I'm not sure if I'm passing it the right information to perform the validation.
>
> Scott
>
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
>
More information about the Users
mailing list