[getdns-api] Stub vs. recursive, DNSSEC, and design goals for this API

Tony Finch dot at dotat.at
Thu Jan 31 03:05:13 MST 2013


Phillip Hallam-Baker <hallam at gmail.com> wrote:
>
> I don't see how not handling NS records is going to simplify the code of
> the stub. Yeah you could leave that to the DNS Proxy (in network terms, its
> a proxy, calling it a recursive server only confuses). But you still have
> to check the work and it really does not buy you much.

It's almost trivially easy to fetch the chain of trust from a
security-aware recursive server: you just ask for DNSKEY and DS RRs at all
the suffixes of the name you are checking. In fact it's a one-line
shell script:

while [ "$n" != "" ]; do dig +dnssec +noall +answer $n dnskey $n ds; n=${n#*.}; done

You can send these requests concurrently. Iterative resolution is MUCH
harder. Even though you have to validate in both cases, a recursive client
is still a lot simpler.

> > > Not being recursive capable is likely to result in flakyness.
> >
> > Yes, as we have learned from dnssec-trigger. The main problem is dealing
> > with security-oblivious recursors that fail to fetch and/or pass on DNSSEC
> > RRs and that don't know where to find DS records.
>
> It was the finding of such data that made me think that the recursive
> capability was going to be essential.

Do you mean iterative?

I think this library should be just a validating stub. If you need to get
down and dirty, ldns already exists.

> > If dnssec-trigger is faced with a security-oblivious resolver and a
> > firewall that blocks DNS, then it can fall back to DNS-over-TLS to a
> > known recursive server.
>
> I would rather the API supported a (configurable) range of guerilla tactics.

I think this should be the job of a local recursive server, like
dnssec-trigger.

> Why would the fallback server need to be recursive here? Unless it was
> going to return the whole DNSSEC chain.

It has to be a recursive server because the client has to make recursive
queries because the firewall blocks iterative queries to authority
servers.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.


More information about the getdns-api mailing list