[getdns-users] getdns_validate_dnssec() Example?
Hollenbeck, Scott
shollenbeck at verisign.com
Wed May 6 13:02:44 CEST 2015
Thanks, Willem. This all sounds like where I am right now. One more question below.
Scott
> -----Original Message-----
> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem
> Toorop
> Sent: Wednesday, May 06, 2015 6:42 AM
> To: users at getdnsapi.net
> Subject: Re: [getdns-users] getdns_validate_dnssec() Example?
>
> Hi Scott,
>
> I suppose the API could be a bit more clear on the input of this
> function yes.
>
> getdns_return_t getdns_validate_dnssec(
> getdns_list *record_to_validate,
> getdns_list *bundle_of_support_records,
> getdns_list *trust_anchor_records
> );
>
> - record_to_validate is a list of RR-dicts with companion RRSIG-RR-
> dicts
> which will be validated.
>
> - trust_anchor_records is the list of trusted DNSKEYs or DS'es RR-
> dicts.
> They do *not* need companion RRSIG-RR-dicts, as they are already
> trusted. You can get the system default trusted keys with the
> getdns_root_trust_anchor() function.
>
> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
> trust_anchors to the RR-dicts to validate.
>
> If you would do a query with the "dnssec_return_validation_chain"
> extension, you can use the "validation_chain" key in the response dict
> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
> You can use a "answer" section of a reply as the record_to_validate
> parameter; Or the "authority" section in case of NXDOMAIN.
>
> Note however, that the record_to_validate list MUST have companion
> RRSIG-RR-dicts for all its RR-dicts. getdns_validate_dnssec does not
> know the zone-cuts and thus cannot handle insecure delegations! It
> cannot determine if missing RRSIGs are sound (by way of insecure
> delegation: GETDNS_DNSSEC_INSECURE) or not (GETDNS_DNSSEC_BOGUS)!
>
> Also, building the wireformat data from RR-dicts doesn't work all that
> well currently. getdns_validate_dnssec can now validate only RR-dicts,
> that came from the wire and have a sound "rdata_raw" attribute. But,
> if
> the name contains compressed names (like with NS, MX and CNAME records)
> then the "rdata_raw" is not usable either, and getdns_validate_dnssec
> simply does not work!
I've been able to get a positive result by doing an address query for www.getdnsapi.net. The test case that failed is doing an NS query for getdnsapi.net with this data:
The answer to be validated:
string(1342) "[
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"nsdname": <bindata of "getdnsapi.net.">,
"rdata_raw": <bindata of 0xc00c>
},
"ttl": 450,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"nsdname": <bindata of "mcvax.nlnet.nl.">,
"rdata_raw": <bindata of "mcvax.nlnet.nl.">
},
"ttl": 450,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"nsdname": <bindata of "dicht.nlnetlabs.nl.">,
"rdata_raw": <bindata of 0x056469636874096e6c6e65746c616273...>
},
"ttl": 450,
"type": GETDNS_RRTYPE_NS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"key_tag": 6273,
"labels": 2,
"original_ttl": 450,
"rdata_raw": <bindata of 0x00020702000001c255594460553d99fb...>,
"signature": <bindata of 0x4d9a240392e5bf642dc0fdf7da98c7b3...>,
"signature_expiration": 1431913568,
"signature_inception": 1430100475,
"signers_name": <bindata of "getdnsapi.net.">,
"type_covered": GETDNS_RRTYPE_NS
},
"ttl": 450,
"type": GETDNS_RRTYPE_RRSIG
}
]"
The support records:
string(6593) "[
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for .>,
"rdata":
{
"algorithm": 8,
"flags": 256,
"protocol": 3,
"public_key": <bindata of 0x030100019c88902c0461e1b6f4d57ee1...>,
"rdata_raw": <bindata of 0x01000308030100019c88902c0461e1b6...>
},
"ttl": 172800,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for .>,
"rdata":
{
"algorithm": 8,
"flags": 257,
"protocol": 3,
"public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
"rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
},
"ttl": 172800,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for .>,
"rdata":
{
"algorithm": 8,
"key_tag": 19036,
"labels": 0,
"original_ttl": 172800,
"rdata_raw": <bindata of 0x003008000002a3005556887f5542c200...>,
"signature": <bindata of 0x09332fb21c62ff39ee958560839c7356...>,
"signature_expiration": 1431734399,
"signature_inception": 1430438400,
"signers_name": <bindata for .>,
"type_covered": GETDNS_RRTYPE_DNSKEY
},
"ttl": 172800,
"type": GETDNS_RRTYPE_RRSIG
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"flags": 257,
"protocol": 3,
"public_key": <bindata of 0x03010001c55b9f4c2dc6620017dc487c...>,
"rdata_raw": <bindata of 0x0101030703010001c55b9f4c2dc66200...>
},
"ttl": 3600,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"flags": 257,
"protocol": 3,
"public_key": <bindata of 0x03010001bb86527f2d50505bad6eddf3...>,
"rdata_raw": <bindata of 0x0101030703010001bb86527f2d50505b...>
},
"ttl": 3600,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"flags": 256,
"protocol": 3,
"public_key": <bindata of 0x0301000197d8b003b3b84ae4ff311ade...>,
"rdata_raw": <bindata of 0x010003070301000197d8b003b3b84ae4...>
},
"ttl": 3600,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"key_tag": 26203,
"labels": 2,
"original_ttl": 3600,
"rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
"signature": <bindata of 0x371538689c8e3933aedb0c4966198eae...>,
"signature_expiration": 1432283562,
"signature_inception": 1430431675,
"signers_name": <bindata of "getdnsapi.net.">,
"type_covered": GETDNS_RRTYPE_DNSKEY
},
"ttl": 3600,
"type": GETDNS_RRTYPE_RRSIG
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"key_tag": 64869,
"labels": 2,
"original_ttl": 3600,
"rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
"signature": <bindata of 0x6ced44f9c0363fe20d48b3b707febbf2...>,
"signature_expiration": 1432283562,
"signature_inception": 1430431675,
"signers_name": <bindata of "getdnsapi.net.">,
"type_covered": GETDNS_RRTYPE_DNSKEY
},
"ttl": 3600,
"type": GETDNS_RRTYPE_RRSIG
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 7,
"digest": <bindata of 0x5544ec53e01f38bb848a29258c1a768e...>,
"digest_type": 1,
"key_tag": 26203,
"rdata_raw": <bindata of 0x665b07015544ec53e01f38bb848a2925...>
},
"ttl": 86400,
"type": GETDNS_RRTYPE_DS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "getdnsapi.net.">,
"rdata":
{
"algorithm": 8,
"key_tag": 48497,
"labels": 2,
"original_ttl": 86400,
"rdata_raw": <bindata of 0x002b080200015180554eec385545a150...>,
"signature": <bindata of 0x9800f1b314c8173985ad90e22cee3f75...>,
"signature_expiration": 1431235640,
"signature_inception": 1430626640,
"signers_name": <bindata of "net.">,
"type_covered": GETDNS_RRTYPE_DS
},
"ttl": 86400,
"type": GETDNS_RRTYPE_RRSIG
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "net.">,
"rdata":
{
"algorithm": 8,
"flags": 257,
"protocol": 3,
"public_key": <bindata of 0x010398067cea5972048fa9a58178382d...>,
"rdata_raw": <bindata of 0x01010308010398067cea5972048fa9a5...>
},
"ttl": 86400,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "net.">,
"rdata":
{
"algorithm": 8,
"flags": 256,
"protocol": 3,
"public_key": <bindata of 0x0103a379a44c688ee5266bd676283010...>,
"rdata_raw": <bindata of 0x010003080103a379a44c688ee5266bd6...>
},
"ttl": 86400,
"type": GETDNS_RRTYPE_DNSKEY
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "net.">,
"rdata":
{
"algorithm": 8,
"key_tag": 35886,
"labels": 1,
"original_ttl": 86400,
"rdata_raw": <bindata of 0x00300801000151805550db2155479f75...>,
"signature": <bindata of 0x5628f72d43536f645317376dbb15d548...>,
"signature_expiration": 1431362337,
"signature_inception": 1430757237,
"signers_name": <bindata of "net.">,
"type_covered": GETDNS_RRTYPE_DNSKEY
},
"ttl": 86400,
"type": GETDNS_RRTYPE_RRSIG
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "net.">,
"rdata":
{
"algorithm": 8,
"digest": <bindata of 0x7862b27f5f516ebe19680444d4ce5e76...>,
"digest_type": 2,
"key_tag": 35886,
"rdata_raw": <bindata of 0x8c2e08027862b27f5f516ebe19680444...>
},
"ttl": 86399,
"type": GETDNS_RRTYPE_DS
},
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata of "net.">,
"rdata":
{
"algorithm": 8,
"key_tag": 48613,
"labels": 1,
"original_ttl": 86400,
"rdata_raw": <bindata of 0x002b080100015180555626105548e900...>,
"signature": <bindata of 0x4fa9c17e53f8a5397d67c16508f03aeb...>,
"signature_expiration": 1431709200,
"signature_inception": 1430841600,
"signers_name": <bindata for .>,
"type_covered": GETDNS_RRTYPE_DS
},
"ttl": 86399,
"type": GETDNS_RRTYPE_RRSIG
}
]"
The trust anchor:
string(355) "[
{
"class": GETDNS_RRCLASS_IN,
"name": <bindata for .>,
"rdata":
{
"algorithm": 8,
"flags": 257,
"protocol": 3,
"public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
"rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
},
"ttl": 172800,
"type": GETDNS_RRTYPE_DNSKEY
}
]"
Based on everything you wrote above, does this look correct?
Scott
More information about the Users
mailing list