[ldns-users] Questions on ldns_dnssec_* functions

Ray Bellis Ray.Bellis at nominet.org.uk
Fri Oct 17 10:58:59 UTC 2014


On 15 Oct 2014, at 16:09, I wrote:

> On 13 Oct 2014, at 16:41, I wrote:
> 
>> I have a number of advanced-level questions relating to use of ldns to create a dynamic zone signer:
>> 
>> 1.  Given an apparently valid ldns_dnssec_zone structure that has had keys added and subsequently signed, I'm using ldns_dnssec_zone_find_rrset() to look for RRs in that zone.
>> 
>> This works for normal RRs that do exist in the zone, but apparently not for RRs on a wildcard label.  Do I have to handle those separately?
>> 
>> 2.  if the above call returns NULL I ideally need to return one or more NSEC records proving non-existence of the QTYPE (and/or QNAME).  Pointers on functions that would assist in finding the right ones would be useful...
>> 
>> 3.  Is there a method by which I can add new RRs to an already signed zone and just have ldns update the RRSIGs and the NSEC chain for the new records?  It's unclear whether the "special handling" in ldns_dnssec_zone_add_rr() covers this.
> 
> FWIW, I’ve solved #2 above (albeit not for wildcards)
> 
> Having dug into the internals of ldns’s code, rather than use `ldns_dnssec_zone_find_rrset()` I’m now using `ldns_frbtree_find_less_equal()` to find the closest entry to the desired name.
> 
> The NSEC record can then be found in `((ldns_dnssec_name*)node->data).nsec` and its siblings `.signatures` and `.nsec_signatures` contains the RRSIGs over the original record and the NSECs themselves.

I've now solved what I was trying to do without needing #1 or #3 either.

However #1 is certainly something that would be useful in LDNS.  It seems that most of the zone-related functions in LDNS relate to zone signing and printing, and little (if any) to actually looking up data in a zone.

kind regards,

Ray




More information about the ldns-users mailing list