[getdns-users] Example using the "dnssec_return_validation_chain" extension

[Linus Nordberg]

Willem Toorop <willem at nlnetlabs.nl> wrote
Sun, 3 Apr 2016 12:46:24 -0300:

| Op 03-04-16 om 09:10 schreef Linus Nordberg:
| > Willem Toorop <willem at nlnetlabs.nl> wrote
| > Sun, 3 Apr 2016 08:45:45 -0300:
| > 
| > | > Next question is if I can somehow access the canonicalised data that the
| > | > validation is based on? From skimming the code, it seems to me that
| > | > canonicalisation is performed but I haven't figured out if it's safe to
| > | > assume that I could simply use the data in getdns_list's that I passed
| > | > to getdns_validate_dnssec2() once it returns.
| > | 
| > | No, the verification buffers are temporarily used for the verification
| > | process only.  But why do you need the canonicalized form?
| > 
| > (Cross posting to dnssec-transparency@ where this discussion is more on
| > topic.)
| > 
| > A DNSSEC Transparency log server should store RR's in canonicalised form
| > in order to be able to return an old SCT when a submitted record already
| > exists in the log. Without this it'd be even easier to spam a log to
| > death.
| > 
| > At least that's my understanding of why this is important. Another less
| > important reason would be to make it easier for auditors and monitors to
| > verify log behaviour and content.
| 
| Ok... well, then we need to do something about it :)
| So, the conversion to wireformat functions already get rid of
| compression if you remove the /rdata/rdata_raw fields from the rr_dicts.
|  I suppose it could be an extra parameter in that conversion function to
| write out canonicalized form.  Or a different function names...  for
| example:
| 
| getdns_return_t
| getdns_rr_dict2canonical_wire(
|     const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
| 
| getdns_return_t
| getdns_rr_dict2canonical_wire_buf(
| 	const getdns_dict *rr_dict, uint8_t *wire, size_t *wire_sz);
| 
| getdns_return_t
| getdns_rr_dict2canonical_wire_scan(
| 	const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
| 
| What do you think?

That'd be very useful for my purposes.


| Are you only converting individual rr_dict's or complete replies as
| well?  For complete replies it could also be interesting (for other use
| cases) to explicitly ask for name compression.

My validation program reads a set of RR's in wire format where the first
RR is a DS RR, the next one is an RRSIG RR covering the previous DS RR
and the rest are "support records", including RRSIG's.