[getdns-users] Example using the "dnssec_return_validation_chain" extension

Willem Toorop willem at nlnetlabs.nl
Sun Apr 3 15:46:24 UTC 2016

Op 03-04-16 om 09:10 schreef Linus Nordberg:
> Willem Toorop <willem at nlnetlabs.nl> wrote
> Sun, 3 Apr 2016 08:45:45 -0300:
> | > Next question is if I can somehow access the canonicalised data that the
> | > validation is based on? From skimming the code, it seems to me that
> | > canonicalisation is performed but I haven't figured out if it's safe to
> | > assume that I could simply use the data in getdns_list's that I passed
> | > to getdns_validate_dnssec2() once it returns.
> | 
> | No, the verification buffers are temporarily used for the verification
> | process only.  But why do you need the canonicalized form?
> (Cross posting to dnssec-transparency@ where this discussion is more on
> topic.)
> A DNSSEC Transparency log server should store RR's in canonicalised form
> in order to be able to return an old SCT when a submitted record already
> exists in the log. Without this it'd be even easier to spam a log to
> death.
> At least that's my understanding of why this is important. Another less
> important reason would be to make it easier for auditors and monitors to
> verify log behaviour and content.

Ok... well, then we need to do something about it :)
So, the conversion to wireformat functions already get rid of
compression if you remove the /rdata/rdata_raw fields from the rr_dicts.
 I suppose it could be an extra parameter in that conversion function to
write out canonicalized form.  Or a different function names...  for

    const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);

	const getdns_dict *rr_dict, uint8_t *wire, size_t *wire_sz);

	const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);

What do you think?

Are you only converting individual rr_dict's or complete replies as
well?  For complete replies it could also be interesting (for other use
cases) to explicitly ask for name compression.

> Thinking some more about it, duplicate checks should probably be
> performed on the submitted DS record (and possibly its accompanying
> RRSIG) only. I'm still pretty sure it should be canonicalised.

More information about the Users mailing list