[getdns-users] Example using the "dnssec_return_validation_chain" extension
Willem Toorop
willem at nlnetlabs.nl
Sun Apr 3 13:45:45 CEST 2016
Op 01-04-16 om 11:53 schreef Linus Nordberg:
> Willem Toorop <willem at nlnetlabs.nl> wrote
> Fri, 26 Feb 2016 12:16:38 +0100:
>
> [...]
> | you really want, but it doesn't seem too much of an effort to convert
> | from wire format to a getdns_list. I.e. for example with the well
> | documented wire2rr_dict_scan ;) :
> [...]
> | We could expose this as
> |
> | getdns_return_t
> | getdns_wire_rrs2list(uint8_t *wire, size_t wire_len, getdns_list **list);
> |
> | But I also like to keep the API as small as possible and don't want to
> | expose a lot of helper functions that you could have easily recreated
> | with the existing functions as well.
>
> Makes sense. I ended up doing something very similar to what you outline
> above. Works just fine. Thanks!
>
> Next question is if I can somehow access the canonicalised data that the
> validation is based on? From skimming the code, it seems to me that
> canonicalisation is performed but I haven't figured out if it's safe to
> assume that I could simply use the data in getdns_list's that I passed
> to getdns_validate_dnssec2() once it returns.
No, the verification buffers are temporarily used for the verification
process only. But why do you need the canonicalized form?
>
> By the way, I've been using commit 4e0073ae for my testing. This seems
> to be close enough to 1.0.0b1 for me to give a thumbs up for at least
> the DNSSEC validation parts of that (pre-)release. Great work!
>
More information about the Users
mailing list