[ldns-users] ldns_dnssec_verify_denial() usage

Vladimir Levijev vladimir.levijev at gmail.com
Mon Jun 18 09:40:52 UTC 2018

On Fri, Jun 15, 2018 at 4:40 PM Jurijs Klopovskis
<jurijs.klopovskis at zabbix.com> wrote:


> I have a question about using ldns_dnssec_verify_denial() and
> ldns_dnssec_verify_denial_nsec3() functions.
> Right now in out code we perform denial of existence checks with these
> functions only if ldns_verify() function has failed with
> Is this sane?

I'm interested in the same subject.

What is the usual way of checking if DNSSEC stuff is in order at the
Name Service provider?

What we do we call these functions in the following sequence:
- ldns_verify()
- ldns_dnssec_verify_denial()

and in case of error in denial of existence RR (incorrect "from" -
"to" range), we will hit the error in ldns_verify() with e. g.
LDNS_STATUS_DNSSEC_NSEC_RR_NOT_COVERED. This does not show us that the
error is denial of existence RR.

Maybe there's a known way of doing these checks properly?



More information about the ldns-users mailing list