[getdns-users] Example using the "dnssec_return_validation_chain" extension

Willem Toorop willem at nlnetlabs.nl
Wed Apr 6 14:35:13 UTC 2016


Op 03-04-16 om 13:59 schreef Linus Nordberg:
> Willem Toorop <willem at nlnetlabs.nl> wrote
> Sun, 3 Apr 2016 12:46:24 -0300:
> 
> | Op 03-04-16 om 09:10 schreef Linus Nordberg:
> | > Willem Toorop <willem at nlnetlabs.nl> wrote
> | > Sun, 3 Apr 2016 08:45:45 -0300:
> | > 
> | > | > Next question is if I can somehow access the canonicalised data that the
> | > | > validation is based on? From skimming the code, it seems to me that
> | > | > canonicalisation is performed but I haven't figured out if it's safe to
> | > | > assume that I could simply use the data in getdns_list's that I passed
> | > | > to getdns_validate_dnssec2() once it returns.
> | > | 
> | > | No, the verification buffers are temporarily used for the verification
> | > | process only.  But why do you need the canonicalized form?
> | > 
> | > (Cross posting to dnssec-transparency@ where this discussion is more on
> | > topic.)
> | > 
> | > A DNSSEC Transparency log server should store RR's in canonicalised form
> | > in order to be able to return an old SCT when a submitted record already
> | > exists in the log. Without this it'd be even easier to spam a log to
> | > death.
> | > 
> | > At least that's my understanding of why this is important. Another less
> | > important reason would be to make it easier for auditors and monitors to
> | > verify log behaviour and content.
> | 
> | Ok... well, then we need to do something about it :)
> | So, the conversion to wireformat functions already get rid of
> | compression if you remove the /rdata/rdata_raw fields from the rr_dicts.
> |  I suppose it could be an extra parameter in that conversion function to
> | write out canonicalized form.  Or a different function names...  for
> | example:
> | 
> | getdns_return_t
> | getdns_rr_dict2canonical_wire(
> |     const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
> | 
> | getdns_return_t
> | getdns_rr_dict2canonical_wire_buf(
> | 	const getdns_dict *rr_dict, uint8_t *wire, size_t *wire_sz);
> | 
> | getdns_return_t
> | getdns_rr_dict2canonical_wire_scan(
> | 	const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
> | 
> | What do you think?
> 
> That'd be very useful for my purposes.

Yes, I've been chewing on this a little bit, and considering that
canonical order also seems important, perhaps we can come up with some
more generic functions.

For example one to canonicalize a single rr_dict:

getdns_return_t
getdns_rr_dict_canonicalize(
    const getdns_list *rr_dict, getdns_list **canonicalized_rr_dict);

and one to sort:

getdns_return_t
getdns_rr_dicts_sort(const getdns_list *unsorted, getdns_list **sorted);

where the sorting function makes sure the signature rr_dicts are right
behind the rrsets they sign.

What do you think?

-- Willem
> 
> 
> | Are you only converting individual rr_dict's or complete replies as
> | well?  For complete replies it could also be interesting (for other use
> | cases) to explicitly ask for name compression.
> 
> My validation program reads a set of RR's in wire format where the first
> RR is a DS RR, the next one is an RRSIG RR covering the previous DS RR
> and the rest are "support records", including RRSIG's.
> 




More information about the Users mailing list