[getdns-users] Example using the "dnssec_return_validation_chain" extension

Linus Nordberg linus at nordberg.se
Sun Apr 3 12:10:42 UTC 2016


Willem Toorop <willem at nlnetlabs.nl> wrote
Sun, 3 Apr 2016 08:45:45 -0300:

| > Next question is if I can somehow access the canonicalised data that the
| > validation is based on? From skimming the code, it seems to me that
| > canonicalisation is performed but I haven't figured out if it's safe to
| > assume that I could simply use the data in getdns_list's that I passed
| > to getdns_validate_dnssec2() once it returns.
| 
| No, the verification buffers are temporarily used for the verification
| process only.  But why do you need the canonicalized form?

(Cross posting to dnssec-transparency@ where this discussion is more on
topic.)

A DNSSEC Transparency log server should store RR's in canonicalised form
in order to be able to return an old SCT when a submitted record already
exists in the log. Without this it'd be even easier to spam a log to
death.

At least that's my understanding of why this is important. Another less
important reason would be to make it easier for auditors and monitors to
verify log behaviour and content.

Thinking some more about it, duplicate checks should probably be
performed on the submitted DS record (and possibly its accompanying
RRSIG) only. I'm still pretty sure it should be canonicalised.



More information about the Users mailing list