[getdns-users] STUB mode, does it validate DNSSEC security?

Rick van Rein rick at openfortress.nl
Thu Feb 25 09:20:50 UTC 2016


Hello,

I'm looking into GetDNS, curious about a new player on the landscape,
and have a few beginner's questions, if I may.  I noticed it is "not by
DNS folk for DNS folk", so as a "DNS person" I may be not be the
targeted audience.  Still:


1. The documentation mentions STUB mode in a number of places, but does
not accurately define it.  I found that it means dropping the Unbound
dependency; but does that mean that it won't perform DNSSEC validation,
or just that it won't cache, or...?  How is this impacting the
experience from the GenDNS API?

2. I was looking into GetDNS as an possible alternative for libunbound
(and got a bit confused because they're both from NLNet Labs) and if I'm
getting it correctly, then GetDNS is meant to be wrapped for
script-style languages, but given the string-indexed dictionary
structures returned it strikes me as more complex to use in a C program
than libunbound; or am I missing something?

3. Part of my wondering is that I don't know if GetDNS does DNSSEC for
itself, or delegates these duties to libunbound.


Finally, if I was making an easy API to DNS then I would have
created"DNS objects"that hold a path ("lookup SRV, take out port and
protocol, lookup TLSA record") to a piece of data in DNS, to which they
"subscribe" by holding it in memory and renewing it just before TTL
expiration if not yet removed (deleted or GC'd).  I would have the
object send notifications to all listeners (such as "validated
certificate" objects) if anything changed to the DNS data during a
refresh, including to its validity in terms of DNSSEC.  But that's just
thinking out loud.


Thanks,
 -Rick



More information about the Users mailing list