[getdns-users] STUB mode, does it validate DNSSEC security?
Rick van Rein
rick at openfortress.nl
Thu Feb 25 09:20:50 UTC 2016
Hello,
I'm looking into GetDNS, curious about a new player on the landscape,
and have a few beginner's questions, if I may. I noticed it is "not by
DNS folk for DNS folk", so as a "DNS person" I may be not be the
targeted audience. Still:
1. The documentation mentions STUB mode in a number of places, but does
not accurately define it. I found that it means dropping the Unbound
dependency; but does that mean that it won't perform DNSSEC validation,
or just that it won't cache, or...? How is this impacting the
experience from the GenDNS API?
2. I was looking into GetDNS as an possible alternative for libunbound
(and got a bit confused because they're both from NLNet Labs) and if I'm
getting it correctly, then GetDNS is meant to be wrapped for
script-style languages, but given the string-indexed dictionary
structures returned it strikes me as more complex to use in a C program
than libunbound; or am I missing something?
3. Part of my wondering is that I don't know if GetDNS does DNSSEC for
itself, or delegates these duties to libunbound.
Finally, if I was making an easy API to DNS then I would have
created"DNS objects"that hold a path ("lookup SRV, take out port and
protocol, lookup TLSA record") to a piece of data in DNS, to which they
"subscribe" by holding it in memory and renewing it just before TTL
expiration if not yet removed (deleted or GC'd). I would have the
object send notifications to all listeners (such as "validated
certificate" objects) if anything changed to the DNS data during a
refresh, including to its validity in terms of DNSSEC. But that's just
thinking out loud.
Thanks,
-Rick
More information about the Users
mailing list