[getdns-users] Example using the "dnssec_return_validation_chain" extension

Linus Nordberg linus at nordberg.se
Fri Apr 1 14:53:14 UTC 2016


Willem Toorop <willem at nlnetlabs.nl> wrote
Fri, 26 Feb 2016 12:16:38 +0100:

[...]
| you really want, but it doesn't seem too much of an effort to convert
| from wire format to a getdns_list.  I.e. for example with the well
| documented wire2rr_dict_scan ;) :
[...]
| We could expose this as
| 
| getdns_return_t
| getdns_wire_rrs2list(uint8_t *wire, size_t wire_len, getdns_list **list);
| 
| But I also like to keep the API as small as possible and don't want to
| expose a lot of helper functions that you could have easily recreated
| with the existing functions as well.

Makes sense. I ended up doing something very similar to what you outline
above. Works just fine. Thanks!

Next question is if I can somehow access the canonicalised data that the
validation is based on? From skimming the code, it seems to me that
canonicalisation is performed but I haven't figured out if it's safe to
assume that I could simply use the data in getdns_list's that I passed
to getdns_validate_dnssec2() once it returns.

By the way, I've been using commit 4e0073ae for my testing. This seems
to be close enough to 1.0.0b1 for me to give a thumbs up for at least
the DNSSEC validation parts of that (pre-)release. Great work!



More information about the Users mailing list