[getdns-users] Example using the "dnssec_return_validation_chain" extension
Willem Toorop
willem at nlnetlabs.nl
Thu Feb 11 09:15:28 UTC 2016
Hi Linus,
Rereading that message you are referring, I realise that a lot has been
improved since may 2015.
The dnssec_return_validation_chain extension currently works perfectly
inn all possible circumstances. The chain will also contain proofs for
insecure zones.
The record_to_validate parameter to getdns_validate_dnssec() may now
also contain a list of reply dicts to validate actual DNS packets. This
allows to also validate proof of denial of existence or insecure
NXDOMAINs etc.
The getdns_query program (did you compile the binary with
--with-getdns_query ?) contains example usage of getdns_validate_dnssec
and will revalidate the answer with getdns_validate_dnssec() when the
dnssec_return_validation_chain was used. This happens in function
validate_chain on line 537 of getdns_query.c.
It basically boils down to:
getdns_return_t validate_chain(getdns_dict *response)
{
getdns_status r = GETDNS_RETURN_GENERIC_ERROR;
getdns_list *trust_anchor;
getdns_list *validation_chain;
getdns_list *replies_tree;
/* Get the trust anchors ...
*/
if (getdns_context_get_dnssec_trust_anchors(
context, &trust_anchor))
trust_anchor = getdns_root_trust_anchor(NULL);
if (!trust_anchor)
fprintf(stderr, "No trust anchor to validate with.\n");
/* ... get the validation chain ...
*/
else if ((r = getdns_dict_get_list(
response, "validation_chain", &validation_chain)))
fprintf(stderr, "Could not get validation chain\n");
/* .. get the replies tree ..
*/
else if (r = getdns_dict_get_list(
response, "replies_tree", &replies_tree)))
fprintf(stderr, "Could not get replies tree\n");
/* .. and validate.
*/
else switch(getdns_validate_dnssec(
replies_tree, validation_chain, trust_anchors)) {
case GETDNS_DNSSEC_SECURE : printf("Replies are secure\n");
return GETDNS_RETURN_GOOD;
case GETDNS_DNSSEC_INDETERMINATE:
case GETDNS_DNSSEC_INSECURE: printf("Replies are insecure\n");
return GETDNS_RETURN_GOOD;
case GETDNS_DNSSEC_BOGUS : printf("Replies are bogus\n");
return GETDNS_RETURN_GOOD;
default : /* Not possible to get here */
fprintf( stderr
, "Unkown dnssec status\n");
return GETDNS_RETURN_GENERIC_ERROR;
}
return r;
}
Op 10-02-16 om 20:44 schreef Linus Nordberg:
> Hi list,
>
> I've been trying to use the "dnssec_return_validation_chain" extension,
> so far without luck. I define luck as seeing a "validation_chain"
> section in a reply. I have verified that my context has proper trust
> anchor(s).
>
> It'd be great to be able to run some example code, C or Python, to rule
> out local problems at my end.
>
> My ultimate goal with this exercise is to understand what to pass in the
> support_records argument to getdns_validate_dnssec(). The rationale
> behind this is
> https://getdnsapi.net/pipermail/users/2015-May/000032.html which says
>
> --8<---------------cut here---------------start------------->8---
> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
> trust_anchors to the RR-dicts to validate.
> ...
> If you would do a query with the "dnssec_return_validation_chain"
> extension, you can use the "validation_chain" key in the response dict
> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
> --8<---------------cut here---------------end--------------->8---
>
> Thanks,
> Linus
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
>
More information about the Users
mailing list