From srobertjames at gmail.com Mon Jun 8 01:56:41 2015 From: srobertjames at gmail.com (Robert James) Date: Sun, 7 Jun 2015 21:56:41 -0400 Subject: [ldns-users] Verifying DNSSEC with ldns Message-ID: I'm learning ldns. The interface is clearly well thought out. I'm confused about the ldns_verify_* functions. My goal is to verify a single RRSIG over a single RR. However, the interface for the verify functions takes a rrset, not a rr. Am I supposed to simply create a dummy rr_list and put the single rr into it? Second, I'm confused about the difference between ldns_verify, ldns_verify_rrsig, and ldns_verify_rrsig_keylist. When do I use each? Finally: I have two use cases. In some cases, I have the DNSKEY, trust it, and simply want to verify that the RRSIG matches the DNSKEY and the RR. In other cases, I don't have the DNSKEY, and want to do a recursive, DNSSEC verified, lookup to get it (i.e. walking the DS chain all the way back to the root domain, whose key I of course need). Which one does the ldns_verify* do? How do I do the other one? Thanks!