[getdns-api] Stub vs. recursive, DNSSEC, and design goals for this API
Tony Finch
dot at dotat.at
Thu Jan 31 03:05:13 MST 2013
Phillip Hallam-Baker <hallam at gmail.com> wrote:
>
> I don't see how not handling NS records is going to simplify the code of
> the stub. Yeah you could leave that to the DNS Proxy (in network terms, its
> a proxy, calling it a recursive server only confuses). But you still have
> to check the work and it really does not buy you much.
It's almost trivially easy to fetch the chain of trust from a
security-aware recursive server: you just ask for DNSKEY and DS RRs at all
the suffixes of the name you are checking. In fact it's a one-line
shell script:
while [ "$n" != "" ]; do dig +dnssec +noall +answer $n dnskey $n ds; n=${n#*.}; done
You can send these requests concurrently. Iterative resolution is MUCH
harder. Even though you have to validate in both cases, a recursive client
is still a lot simpler.
> > > Not being recursive capable is likely to result in flakyness.
> >
> > Yes, as we have learned from dnssec-trigger. The main problem is dealing
> > with security-oblivious recursors that fail to fetch and/or pass on DNSSEC
> > RRs and that don't know where to find DS records.
>
> It was the finding of such data that made me think that the recursive
> capability was going to be essential.
Do you mean iterative?
I think this library should be just a validating stub. If you need to get
down and dirty, ldns already exists.
> > If dnssec-trigger is faced with a security-oblivious resolver and a
> > firewall that blocks DNS, then it can fall back to DNS-over-TLS to a
> > known recursive server.
>
> I would rather the API supported a (configurable) range of guerilla tactics.
I think this should be the job of a local recursive server, like
dnssec-trigger.
> Why would the fallback server need to be recursive here? Unless it was
> going to return the whole DNSSEC chain.
It has to be a recursive server because the client has to make recursive
queries because the firewall blocks iterative queries to authority
servers.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.
More information about the getdns-api
mailing list