[getdns-users] getdns_validate_dnssec() Example?

Hollenbeck, Scott shollenbeck at verisign.com
Wed May 6 13:02:44 CEST 2015


Thanks, Willem. This all sounds like where I am right now. One more question below.

Scott

> -----Original Message-----
> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Willem
> Toorop
> Sent: Wednesday, May 06, 2015 6:42 AM
> To: users at getdnsapi.net
> Subject: Re: [getdns-users] getdns_validate_dnssec() Example?
> 
> Hi Scott,
> 
> I suppose the API could be a bit more clear on the input of this
> function yes.
> 
> getdns_return_t getdns_validate_dnssec(
> 	getdns_list *record_to_validate,
> 	getdns_list *bundle_of_support_records,
> 	getdns_list *trust_anchor_records
> );
> 
> - record_to_validate is a list of RR-dicts with companion RRSIG-RR-
> dicts
> which will be validated.
> 
> - trust_anchor_records is the list of trusted DNSKEYs or DS'es RR-
> dicts.
> They do *not* need companion RRSIG-RR-dicts, as they are already
> trusted. You can get the system default trusted keys with the
> getdns_root_trust_anchor() function.
> 
> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
> trust_anchors to the RR-dicts to validate.
> 
> If you would do a query with the "dnssec_return_validation_chain"
> extension, you can use the "validation_chain" key in the response dict
> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
> You can use a "answer" section of a reply as the record_to_validate
> parameter;  Or the "authority" section in case of NXDOMAIN.
> 
> Note however, that the record_to_validate list MUST have companion
> RRSIG-RR-dicts for all its RR-dicts.  getdns_validate_dnssec does not
> know the zone-cuts and thus cannot handle insecure delegations!  It
> cannot determine if missing RRSIGs are sound (by way of insecure
> delegation: GETDNS_DNSSEC_INSECURE) or not (GETDNS_DNSSEC_BOGUS)!
> 
> Also, building the wireformat data from RR-dicts doesn't work all that
> well currently.  getdns_validate_dnssec can now validate only RR-dicts,
> that came from the wire and have a sound "rdata_raw" attribute.  But,
> if
> the name contains compressed names (like with NS, MX and CNAME records)
> then the "rdata_raw" is not usable either, and getdns_validate_dnssec
> simply does not work!

I've been able to get a positive result by doing an address query for www.getdnsapi.net. The test case that failed is doing an NS query for getdnsapi.net with this data:

The answer to be validated:

string(1342) "[
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "nsdname": <bindata of "getdnsapi.net.">,
      "rdata_raw": <bindata of 0xc00c>
    },
    "ttl": 450,
    "type": GETDNS_RRTYPE_NS
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "nsdname": <bindata of "mcvax.nlnet.nl.">,
      "rdata_raw": <bindata of "mcvax.nlnet.nl.">
    },
    "ttl": 450,
    "type": GETDNS_RRTYPE_NS
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "nsdname": <bindata of "dicht.nlnetlabs.nl.">,
      "rdata_raw": <bindata of 0x056469636874096e6c6e65746c616273...>
    },
    "ttl": 450,
    "type": GETDNS_RRTYPE_NS
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "key_tag": 6273,
      "labels": 2,
      "original_ttl": 450,
      "rdata_raw": <bindata of 0x00020702000001c255594460553d99fb...>,
      "signature": <bindata of 0x4d9a240392e5bf642dc0fdf7da98c7b3...>,
      "signature_expiration": 1431913568,
      "signature_inception": 1430100475,
      "signers_name": <bindata of "getdnsapi.net.">,
      "type_covered": GETDNS_RRTYPE_NS
    },
    "ttl": 450,
    "type": GETDNS_RRTYPE_RRSIG
  }
]"

The support records:

string(6593) "[
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata for .>,
    "rdata":
    {
      "algorithm": 8,
      "flags": 256,
      "protocol": 3,
      "public_key": <bindata of 0x030100019c88902c0461e1b6f4d57ee1...>,
      "rdata_raw": <bindata of 0x01000308030100019c88902c0461e1b6...>
    },
    "ttl": 172800,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata for .>,
    "rdata":
    {
      "algorithm": 8,
      "flags": 257,
      "protocol": 3,
      "public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
      "rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
    },
    "ttl": 172800,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata for .>,
    "rdata":
    {
      "algorithm": 8,
      "key_tag": 19036,
      "labels": 0,
      "original_ttl": 172800,
      "rdata_raw": <bindata of 0x003008000002a3005556887f5542c200...>,
      "signature": <bindata of 0x09332fb21c62ff39ee958560839c7356...>,
      "signature_expiration": 1431734399,
      "signature_inception": 1430438400,
      "signers_name": <bindata for .>,
      "type_covered": GETDNS_RRTYPE_DNSKEY
    },
    "ttl": 172800,
    "type": GETDNS_RRTYPE_RRSIG
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "flags": 257,
      "protocol": 3,
      "public_key": <bindata of 0x03010001c55b9f4c2dc6620017dc487c...>,
      "rdata_raw": <bindata of 0x0101030703010001c55b9f4c2dc66200...>
    },
    "ttl": 3600,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "flags": 257,
      "protocol": 3,
      "public_key": <bindata of 0x03010001bb86527f2d50505bad6eddf3...>,
      "rdata_raw": <bindata of 0x0101030703010001bb86527f2d50505b...>
    },
    "ttl": 3600,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "flags": 256,
      "protocol": 3,
      "public_key": <bindata of 0x0301000197d8b003b3b84ae4ff311ade...>,
      "rdata_raw": <bindata of 0x010003070301000197d8b003b3b84ae4...>
    },
    "ttl": 3600,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "key_tag": 26203,
      "labels": 2,
      "original_ttl": 3600,
      "rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
      "signature": <bindata of 0x371538689c8e3933aedb0c4966198eae...>,
      "signature_expiration": 1432283562,
      "signature_inception": 1430431675,
      "signers_name": <bindata of "getdnsapi.net.">,
      "type_covered": GETDNS_RRTYPE_DNSKEY
    },
    "ttl": 3600,
    "type": GETDNS_RRTYPE_RRSIG
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "key_tag": 64869,
      "labels": 2,
      "original_ttl": 3600,
      "rdata_raw": <bindata of 0x0030070200000e10555ee9aa5542a7bb...>,
      "signature": <bindata of 0x6ced44f9c0363fe20d48b3b707febbf2...>,
      "signature_expiration": 1432283562,
      "signature_inception": 1430431675,
      "signers_name": <bindata of "getdnsapi.net.">,
      "type_covered": GETDNS_RRTYPE_DNSKEY
    },
    "ttl": 3600,
    "type": GETDNS_RRTYPE_RRSIG
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 7,
      "digest": <bindata of 0x5544ec53e01f38bb848a29258c1a768e...>,
      "digest_type": 1,
      "key_tag": 26203,
      "rdata_raw": <bindata of 0x665b07015544ec53e01f38bb848a2925...>
    },
    "ttl": 86400,
    "type": GETDNS_RRTYPE_DS
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "getdnsapi.net.">,
    "rdata":
    {
      "algorithm": 8,
      "key_tag": 48497,
      "labels": 2,
      "original_ttl": 86400,
      "rdata_raw": <bindata of 0x002b080200015180554eec385545a150...>,
      "signature": <bindata of 0x9800f1b314c8173985ad90e22cee3f75...>,
      "signature_expiration": 1431235640,
      "signature_inception": 1430626640,
      "signers_name": <bindata of "net.">,
      "type_covered": GETDNS_RRTYPE_DS
    },
    "ttl": 86400,
    "type": GETDNS_RRTYPE_RRSIG
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "net.">,
    "rdata":
    {
      "algorithm": 8,
      "flags": 257,
      "protocol": 3,
      "public_key": <bindata of 0x010398067cea5972048fa9a58178382d...>,
      "rdata_raw": <bindata of 0x01010308010398067cea5972048fa9a5...>
    },
    "ttl": 86400,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "net.">,
    "rdata":
    {
      "algorithm": 8,
      "flags": 256,
      "protocol": 3,
      "public_key": <bindata of 0x0103a379a44c688ee5266bd676283010...>,
      "rdata_raw": <bindata of 0x010003080103a379a44c688ee5266bd6...>
    },
    "ttl": 86400,
    "type": GETDNS_RRTYPE_DNSKEY
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "net.">,
    "rdata":
    {
      "algorithm": 8,
      "key_tag": 35886,
      "labels": 1,
      "original_ttl": 86400,
      "rdata_raw": <bindata of 0x00300801000151805550db2155479f75...>,
      "signature": <bindata of 0x5628f72d43536f645317376dbb15d548...>,
      "signature_expiration": 1431362337,
      "signature_inception": 1430757237,
      "signers_name": <bindata of "net.">,
      "type_covered": GETDNS_RRTYPE_DNSKEY
    },
    "ttl": 86400,
    "type": GETDNS_RRTYPE_RRSIG
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "net.">,
    "rdata":
    {
      "algorithm": 8,
      "digest": <bindata of 0x7862b27f5f516ebe19680444d4ce5e76...>,
      "digest_type": 2,
      "key_tag": 35886,
      "rdata_raw": <bindata of 0x8c2e08027862b27f5f516ebe19680444...>
    },
    "ttl": 86399,
    "type": GETDNS_RRTYPE_DS
  },
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata of "net.">,
    "rdata":
    {
      "algorithm": 8,
      "key_tag": 48613,
      "labels": 1,
      "original_ttl": 86400,
      "rdata_raw": <bindata of 0x002b080100015180555626105548e900...>,
      "signature": <bindata of 0x4fa9c17e53f8a5397d67c16508f03aeb...>,
      "signature_expiration": 1431709200,
      "signature_inception": 1430841600,
      "signers_name": <bindata for .>,
      "type_covered": GETDNS_RRTYPE_DS
    },
    "ttl": 86399,
    "type": GETDNS_RRTYPE_RRSIG
  }
]"

The trust anchor:

string(355) "[
  {
    "class": GETDNS_RRCLASS_IN,
    "name": <bindata for .>,
    "rdata":
    {
      "algorithm": 8,
      "flags": 257,
      "protocol": 3,
      "public_key": <bindata of 0x03010001a80020a95566ba42e886bb80...>,
      "rdata_raw": <bindata of 0x0101030803010001a80020a95566ba42...>
    },
    "ttl": 172800,
    "type": GETDNS_RRTYPE_DNSKEY
  }
]"

Based on everything you wrote above, does this look correct?

Scott



More information about the Users mailing list