[getdns-users] STUB mode, does it validate DNSSEC security?

Willem Toorop willem at nlnetlabs.nl
Fri Feb 26 09:13:49 UTC 2016


Op 25-02-16 om 10:20 schreef Rick van Rein:
> Finally, if I was making an easy API to DNS then I would have
> created"DNS objects"that hold a path ("lookup SRV, take out port and
> protocol, lookup TLSA record") to a piece of data in DNS, to which they
> "subscribe" by holding it in memory and renewing it just before TTL
> expiration if not yet removed (deleted or GC'd).  I would have the
> object send notifications to all listeners (such as "validated
> certificate" objects) if anything changed to the DNS data during a
> refresh, including to its validity in terms of DNSSEC.  But that's just
> thinking out loud.

Hey Rick!

A subscription service for DNS information (or on a DNS cache even),
taking into account DNS redirects (by SRV, CNAME, MX, NS, or whatever).
 I like that idea a lot!  This would work perfectly well with the whole
eventloop approach that getdns embraces too.

It would also be in line with the "small cache for the sub resolver (for
DS/DNSKEY (or their denial of existence) only in first instance)"
feature that we have on our wishlist.

This would be a great hackathon project for the IETF95 too.
Too many fun & interesting things to do, too little time... :(

Maybe we could discuss API prototypes for such an API if your in the
neighbourhood sometime?

-- Willem

> 
> 
> Thanks,
>  -Rick
> _______________________________________________
> Users mailing list
> Users at getdnsapi.net
> http://getdnsapi.net/mailman/listinfo/users
> 




More information about the Users mailing list