[getdns-users] STUB mode, does it validate DNSSEC security?

Allison Mankin allison.mankin at gmail.com
Thu Feb 25 16:42:08 UTC 2016 

Hello, Rick,

Taking your comments/questions one by one:

0. We really intend a conjunction, not a disjunction, with the point about
DNS folk
    and we encourage DNS folks actively.  Case in point, our participation
in the
    IETF's hackathons with getdns.
1. That's a valid issue about the STUB mode definition.  Our getdns
implementation
    started with the spec, which is a consensus document, and over time, we
have
    enhanced STUB mode so that it is fully capable of performing DNSSEC
    validation without revising the spec enough to capture this.  In
stub-only
    mode, the stub can validate DNSSEC, but it doesn't perform all the
functions
    of the caching recursive resolver.  getdns uses libunbound when it is in
    recursive mode, but not when it is a validating stub.  There's a great
discussion
    of validating stub, with lots of detail, that Willem Toorop presented
at vBSDcon
    in September 2015, that I think would make this all very clear to you:
    https://www.youtube.com/watch?v=73M7h56Dsas
2. Release 0.9 added excellent helpers to make getdns easier to work with
from C.
    They were described in the email about the release, and you can find
them in
    the 0.9 ChangeLog on github (Hey others on the core team: let's make
this info
    clearer on the website too).  Melinda Shore blogged about this too, but
I'm not
    finding a link to the blog right now, perhaps due to insufficient
caffeine today.
3. As noted in 1), getdns in stub-only mode readily does DNSSEC validation
for itself on
    the end-system.

Interesting point about the API.  I hope others will comment in detail.

Thank you for writing.  We're glad to continue discussion.

Allison

(getdns  Team Coordinator)

Hello,

I'm looking into GetDNS, curious about a new player on the landscape,
> and have a few beginner's questions, if I may.  I noticed it is "not by
> DNS folk for DNS folk", so as a "DNS person" I may be not be the
> targeted audience.  Still:
>
> 1. The documentation mentions STUB mode in a number of places, but does
> not accurately define it.  I found that it means dropping the Unbound
> dependency; but does that mean that it won't perform DNSSEC validation,
> or just that it won't cache, or...?  How is this impacting the
> experience from the GenDNS API?
> 2. I was looking into GetDNS as an possible alternative for libunbound
> (and got a bit confused because they're both from NLNet Labs) and if I'm
> getting it correctly, then GetDNS is meant to be wrapped for
> script-style languages, but given the string-indexed dictionary
> structures returned it strikes me as more complex to use in a C program
> than libunbound; or am I missing something?
> 3. Part of my wondering is that I don't know if GetDNS does DNSSEC for
> itself, or delegates these duties to libunbound.
>
> Finally, if I was making an easy API to DNS then I would have
> created"DNS objects"that hold a path ("lookup SRV, take out port and
> protocol, lookup TLSA record") to a piece of data in DNS, to which they
> "subscribe" by holding it in memory and renewing it just before TTL
> expiration if not yet removed (deleted or GC'd).  I would have the
> object send notifications to all listeners (such as "validated
> certificate" objects) if anything changed to the DNS data during a
> refresh, including to its validity in terms of DNSSEC.  But that's just
> thinking out loud.
>
> Thanks,
> -Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.getdnsapi.net/pipermail/users/attachments/20160225/ca2d8ff7/attachment.htm>

More information about the Users mailing list