[ldns-users] Verifying DNSSEC with ldns
srobertjames at gmail.com
Mon Jun 8 01:56:41 UTC 2015
I'm learning ldns. The interface is clearly well thought out.
I'm confused about the ldns_verify_* functions. My goal is to verify
a single RRSIG over a single RR. However, the interface for the
verify functions takes a rrset, not a rr. Am I supposed to simply
create a dummy rr_list and put the single rr into it?
Second, I'm confused about the difference between ldns_verify,
ldns_verify_rrsig, and ldns_verify_rrsig_keylist. When do I use each?
Finally: I have two use cases. In some cases, I have the DNSKEY,
trust it, and simply want to verify that the RRSIG matches the DNSKEY
and the RR. In other cases, I don't have the DNSKEY, and want to do a
recursive, DNSSEC verified, lookup to get it (i.e. walking the DS
chain all the way back to the root domain, whose key I of course
need). Which one does the ldns_verify* do? How do I do the other one?
More information about the ldns-users