[getdns-users] getdns_validate_dnssec() Example?

Willem Toorop willem at nlnetlabs.nl
Wed May 6 10:41:58 UTC 2015


Hi Scott,

I suppose the API could be a bit more clear on the input of this
function yes.

getdns_return_t getdns_validate_dnssec(
	getdns_list *record_to_validate,
	getdns_list *bundle_of_support_records,
	getdns_list *trust_anchor_records
);

- record_to_validate is a list of RR-dicts with companion RRSIG-RR-dicts
which will be validated.

- trust_anchor_records is the list of trusted DNSKEYs or DS'es RR-dicts.
They do *not* need companion RRSIG-RR-dicts, as they are already
trusted. You can get the system default trusted keys with the
getdns_root_trust_anchor() function.

- bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
trust_anchors to the RR-dicts to validate.

If you would do a query with the "dnssec_return_validation_chain"
extension, you can use the "validation_chain" key in the response dict
as the bundle_of_support_records parameter ro getdns_validate_dnssec.
You can use a "answer" section of a reply as the record_to_validate
parameter;  Or the "authority" section in case of NXDOMAIN.

Note however, that the record_to_validate list MUST have companion
RRSIG-RR-dicts for all its RR-dicts.  getdns_validate_dnssec does not
know the zone-cuts and thus cannot handle insecure delegations!  It
cannot determine if missing RRSIGs are sound (by way of insecure
delegation: GETDNS_DNSSEC_INSECURE) or not (GETDNS_DNSSEC_BOGUS)!

Also, building the wireformat data from RR-dicts doesn't work all that
well currently.  getdns_validate_dnssec can now validate only RR-dicts,
that came from the wire and have a sound "rdata_raw" attribute.  But, if
the name contains compressed names (like with NS, MX and CNAME records)
then the "rdata_raw" is not usable either, and getdns_validate_dnssec
simply does not work!

This is a bug and is top on my to do list to fix, as native stub dnssec
validation depends on it's correct working.

Hope this helps a bit.

There used to be an test program for getdns_validate_dnssec:
https://github.com/getdnsapi/getdns/blob/v0.1.4/src/test/tests_dnssec.c
But I removed all the tests_*.c programs I contributed myself in favor
of getdns_query... (which in turn never got the getdns_validate_dnssec
test function, but alas).

-- Willem

Op 05-05-15 om 14:35 schreef Hollenbeck, Scott:
>> -----Original Message-----
>> From: Users [mailto:users-bounces at getdnsapi.net] On Behalf Of Mankin,
>> Allison
>> Sent: Monday, May 04, 2015 12:09 PM
>> To: libgetdns users list
>> Subject: Re: [getdns-users] getdns_validate_dnssec() Example?
>>
>> Scott,
>>
>> I think this extension may not be complete in the C library. It is a
>> more recent arrival to the API.
>>
>> It's been on my TODO list to check details on this.
>  
> Thanks, Allison. I've made progress to the point where my call to getdns_validate_dnssec() is returning a 403 (I expect a 400), so I'm passing it the right types of data structures. Now I'm not sure if I'm passing it the right information to perform the validation.
> 
> Scott
> 
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
> 




More information about the Users mailing list