[getdns-api] How do the DNSSEC extensions affect the response dict

Willem Toorop willem at nlnetlabs.nl
Tue Feb 18 02:09:58 MST 2014


Dear list,

Paul suggested to post our DNSSEC implementation choices on the list for
discussion, so here it is.

>From the specification it was not completely clear how DNSSEC affects
the response dict.  Should individual resource records be stripped from
the packets/replies or should whole replies be included or excluded from
the response dict based on the DNSSEC status of the "answer" within?

Currently we've chosen to implement the latter, inclusion of *replies*
based on their DNSSEC status, so that:

- All DNSSEC extension add the "dnssec_status" to the reply dicts.
  (this point is already mentioned in the spec)

- With "dnssec_return_status" and "dnssec_return_only_secure", the
  "status" in the response dict is GETDNS_RESPSTATUS_NO_NAME when all
  replies are NXDOMAIN and/or BOGUS.

- With "dnssec_return_only_secure", the "status" in the response dict
  is GETDNS_RESPSTATUS_NO_SECURE_ANSWERS when non of the replies are
  SECURE, even when all were NXDOMAIN.

- When "dnssec_return_validation_chain" is set, besides the validation
  chain, all replies are returned, even when other DNSSEC extensions
  are set that would otherwise exclude these replies.  This is the only
  modus were the "dnssec_status" can contain GETDNS_DNSSEC_BOGUS.

- When the "dnssec_return_status" extension is set (and
  "dnssec_return_validation_chain" is not), only non-bogus replies
  are returned.

- When the "dnssec_return_only_secure" extension is set (and
  "dnssec_return_validation_chain" is not), only secure
  replies are returned.



More information about the getdns-api mailing list