[ldns-users] Configuring a trust anchor in ldns ?

Jelte Jansen jelte at NLnetLabs.nl
Sun May 6 12:24:15 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Vallet wrote:
> Hi,
> 
> trying to implement a quick-and-dirty signature verification, I
> stumbled on the issue of trust anchor configuration -- this is what I'm
> doing :
> 
> -> fetch the RR I need
> -> fetch the corresponding DNSKEY
> -> call ldns_verify()
> 
> The key in question is a ZSK, which is signed by a domain-wide KSK. Now
> since global DNSSEC deployment will probably take a while, I'd like to
> configure this KSK as a trust anchor in ldns.
> 
> I see entries for TSIG keys in the ldns_struct_resolver struct, but not
> any for trust anchors. Is there a reason for this ?
> 

the functions in the main library only verify signatures and keys
directly. There is functionality to find the KSK but this is only in
drill, since this is part of chasing/tracing and 'complete' validation,
which hasn't made it back to the main library yet (the present code is
too specific and not really ready for that (yet)).

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGPcju4nZCKsdOncURArEQAJ0QoR/aLQltYlE0vrvNjIXSkknkpQCfUsoz
5YeJuOX6VXz3lbNsUj7YaEU=
=T1YD
-----END PGP SIGNATURE-----



More information about the ldns-users mailing list