[getdns-users] Example using the "dnssec_return_validation_chain" extension

Willem Toorop willem at nlnetlabs.nl
Thu Feb 11 09:25:24 UTC 2016


I know you're interested to validate resource records at specified
moments.  I'll try to expose a "non-API" version of the
getdns_validate_dnssec() function with that extra parameter in the
upcoming release.  I.e.

getdns_return_t getdns_validate_dnssec2(
	getdns_list *to_validate,
	getdns_list *bundle_of_support_records,
	getdns_list *trust_anchor_records,
	time_t       moment
);

OK?

-- Willem

Op 11-02-16 om 10:15 schreef Willem Toorop:
> Hi Linus,
> 
> Rereading that message you are referring, I realise that a lot has been
> improved since may 2015.
> 
> The dnssec_return_validation_chain extension currently works perfectly
> inn all possible circumstances.  The chain will also contain proofs for
> insecure zones.
> 
> The record_to_validate parameter to getdns_validate_dnssec() may now
> also contain a list of reply dicts to validate actual DNS packets.  This
> allows to also validate proof of denial of existence or insecure
> NXDOMAINs etc.
> 
> The getdns_query program (did you compile the binary with
> --with-getdns_query ?) contains example usage of getdns_validate_dnssec
> and will revalidate the answer with getdns_validate_dnssec() when the
> dnssec_return_validation_chain was used.  This happens in function
> validate_chain on line 537 of getdns_query.c.
> 
> It basically boils down to:
> 
> getdns_return_t validate_chain(getdns_dict *response)
> {
> 	getdns_status r = GETDNS_RETURN_GENERIC_ERROR;
> 	getdns_list  *trust_anchor;
> 	getdns_list  *validation_chain;
> 	getdns_list  *replies_tree;
> 
> 	/* Get the trust anchors ...
> 	 */
>         if (getdns_context_get_dnssec_trust_anchors(
> 	    context, &trust_anchor))
>                 trust_anchor = getdns_root_trust_anchor(NULL);
> 
> 	if (!trust_anchor)
> 		fprintf(stderr, "No trust anchor to validate with.\n");
> 
> 	/* ... get the validation chain ...
> 	 */
> 	else if ((r = getdns_dict_get_list(
>             response, "validation_chain", &validation_chain)))
> 		fprintf(stderr, "Could not get validation chain\n");
> 
> 
> 	/* .. get the replies tree ..
> 	 */
> 	else if (r = getdns_dict_get_list(
>             response, "replies_tree", &replies_tree)))
> 		fprintf(stderr, "Could not get replies tree\n");
> 
> 	/* .. and validate.
> 	 */
> 	else switch(getdns_validate_dnssec(
> 	    replies_tree, validation_chain, trust_anchors)) {
> 
> 	case GETDNS_DNSSEC_SECURE  : printf("Replies are secure\n");
> 	                             return GETDNS_RETURN_GOOD;
> 
> 	case GETDNS_DNSSEC_INDETERMINATE:
> 	case GETDNS_DNSSEC_INSECURE: printf("Replies are insecure\n");
> 	                             return GETDNS_RETURN_GOOD;
> 
> 	case GETDNS_DNSSEC_BOGUS   : printf("Replies are bogus\n");
>                                      return GETDNS_RETURN_GOOD;
> 
> 	default                    : /* Not possible to get here */
>                                      fprintf( stderr
> 	                                    , "Unkown dnssec status\n");
> 	                             return GETDNS_RETURN_GENERIC_ERROR;
> 	}
> 	return r;
> }
> 
> Op 10-02-16 om 20:44 schreef Linus Nordberg:
>> Hi list,
>>
>> I've been trying to use the "dnssec_return_validation_chain" extension,
>> so far without luck. I define luck as seeing a "validation_chain"
>> section in a reply. I have verified that my context has proper trust
>> anchor(s).
>>
>> It'd be great to be able to run some example code, C or Python, to rule
>> out local problems at my end.
>>
>> My ultimate goal with this exercise is to understand what to pass in the
>> support_records argument to getdns_validate_dnssec(). The rationale
>> behind this is
>> https://getdnsapi.net/pipermail/users/2015-May/000032.html which says
>>
>> --8<---------------cut here---------------start------------->8---
>> - bundle_of_support_records must be a list of DS's RR-dicts and DNSKEY
>> RR-dicts with companion RRSIG-RR-dicts that lead up from one of the
>> trust_anchors to the RR-dicts to validate.
>> ...
>> If you would do a query with the "dnssec_return_validation_chain"
>> extension, you can use the "validation_chain" key in the response dict
>> as the bundle_of_support_records parameter ro getdns_validate_dnssec.
>> --8<---------------cut here---------------end--------------->8---
>>
>> Thanks,
>> Linus
>> _______________________________________________
>> Users mailing list
>> Users at getdnsapi.net
>> http://getdnsapi.net/mailman/listinfo/users
>>
> 
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
> 




More information about the Users mailing list