[ldns-users] Verifying DNSSEC with ldns

Robert James srobertjames at gmail.com
Mon Jun 8 01:56:41 UTC 2015

I'm learning ldns.  The interface is clearly well thought out.

I'm confused about the ldns_verify_* functions.  My goal is to verify
a single RRSIG over a single RR.  However, the interface for the
verify functions takes a rrset, not a rr.  Am I supposed to simply
create a dummy rr_list and put the single rr into it?

Second, I'm confused about the difference between ldns_verify,
ldns_verify_rrsig, and ldns_verify_rrsig_keylist.  When do I use each?

Finally: I have two use cases.  In some cases, I have the DNSKEY,
trust it, and simply want to verify that the RRSIG matches the DNSKEY
and the RR.  In other cases, I don't have the DNSKEY, and want to do a
recursive, DNSSEC verified, lookup to get it (i.e. walking the DS
chain all the way back to the root domain, whose key I of course
need).  Which one does the ldns_verify* do? How do I do the other one?


More information about the ldns-users mailing list