[getdns-users] Example using the "dnssec_return_validation_chain" extension

Willem Toorop willem at nlnetlabs.nl
Thu Feb 11 09:15:28 UTC 2016


Hi Linus,

Rereading that message you are referring, I realise that a lot has been
improved since may 2015.

The dnssec_return_validation_chain extension currently works perfectly
inn all possible circumstances.  The chain will also contain proofs for
insecure zones.

The record_to_validate parameter to getdns_validate_dnssec() may now
also contain a list of reply dicts to validate actual DNS packets.  This
allows to also validate proof of denial of existence or insecure
NXDOMAINs etc.

The getdns_query program (did you compile the binary with
--with-getdns_query ?) contains example usage of getdns_validate_dnssec
and will revalidate the answer with getdns_validate_dnssec() when the
dnssec_return_validation_chain was used.  This happens in function
validate_chain on line 537 of getdns_query.c.

It basically boils down to:

getdns_return_t validate_chain(getdns_dict *response)
{
	getdns_status r = GETDNS_RETURN_GENERIC_ERROR;
	getdns_list  *trust_anchor;
	getdns_list  *validation_chain;
	getdns_list  *replies_tree;

	/* Get the trust anchors ...
	 */
        if (getdns_context_get_dnssec_trust_anchors(
	    context, &trust_anchor))
                trust_anchor = getdns_root_trust_anchor(NULL);

	if (!trust_anchor)
		fprintf(stderr, "No trust anchor to validate with.\n");

	/* ... get the validation chain ...
	 */
	else if ((r = getdns_dict_get_list(
            response, "validation_chain", &validation_chain)))
		fprintf(stderr, "Could not get validation chain\n");


	/* .. get the replies tree ..
	 */
	else if (r = getdns_dict_get_list(
            response, "replies_tree", &replies_tree)))
		fprintf(stderr, "Could not get replies tree\n");

	/* .. and validate.
	 */
	else switch(getdns_validate_dnssec(
	    replies_tree, validation_chain, trust_anchors)) {

	case GETDNS_DNSSEC_SECURE  : printf("Replies are secure\n");
	                             return GETDNS_RETURN_GOOD;

	case GETDNS_DNSSEC_INDETERMINATE:
	case GETDNS_DNSSEC_INSECURE: printf("Replies are insecure\n");
	                             return GETDNS_RETURN_GOOD;

	case GETDNS_DNSSEC_BOGUS   : printf("Replies are bogus\n");
                                     return GETDNS_RETURN_GOOD;

	default                    : /* Not possible to get here */
                                     fprintf( stderr
	                                    , "Unkown dnssec status\n");
	                             return GETDNS_RETURN_GENERIC_ERROR;
	}
	return r;
}

Op 10-02-16 om 20:44 schreef Linus Nordberg:
> Hi list,
> 
> I've been trying to use the "dnssec_return_validation_chain" extension,
> so far without luck. I define luck as seeing a "validation_chain"
> section in a reply. I have verified that my context has proper trust
> anchor(s).
> 
> It'd be great to be able to run some example code, C or Python, to rule
> out local problems at my end.
> 
> My ultimate goal with this exercise is to understand what to pass in the
> support_records argument to getdns_validate_dnssec(). The rationale
> behind this is
> https://getdnsapi.net/pipermail/users/2015-May/000032.html which says
> 
> --8<---------------cut here---------------start------------->8---
> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
> trust_anchors to the RR-dicts to validate.
> ...
> If you would do a query with the "dnssec_return_validation_chain"
> extension, you can use the "validation_chain" key in the response dict
> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
> --8<---------------cut here---------------end--------------->8---
> 
> Thanks,
> Linus
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
> 




More information about the Users mailing list