[ldns-users] Questions on ldns_dnssec_* functions
Ray Bellis
Ray.Bellis at nominet.org.uk
Wed Oct 15 15:09:11 UTC 2014
On 13 Oct 2014, at 16:41, Ray Bellis <Ray.Bellis at nominet.org.uk> wrote:
> I have a number of advanced-level questions relating to use of ldns to create a dynamic zone signer:
>
> 1. Given an apparently valid ldns_dnssec_zone structure that has had keys added and subsequently signed, I'm using ldns_dnssec_zone_find_rrset() to look for RRs in that zone.
>
> This works for normal RRs that do exist in the zone, but apparently not for RRs on a wildcard label. Do I have to handle those separately?
>
> 2. if the above call returns NULL I ideally need to return one or more NSEC records proving non-existence of the QTYPE (and/or QNAME). Pointers on functions that would assist in finding the right ones would be useful...
>
> 3. Is there a method by which I can add new RRs to an already signed zone and just have ldns update the RRSIGs and the NSEC chain for the new records? It's unclear whether the "special handling" in ldns_dnssec_zone_add_rr() covers this.
FWIW, I’ve solved #2 above (albeit not for wildcards)
Having dug into the internals of ldns’s code, rather than use `ldns_dnssec_zone_find_rrset()` I’m now using `ldns_frbtree_find_less_equal()` to find the closest entry to the desired name.
The NSEC record can then be found in `((ldns_dnssec_name*)node->data).nsec` and its siblings `.signatures` and `.nsec_signatures` contains the RRSIGs over the original record and the NSECs themselves.
Ray
More information about the ldns-users
mailing list