[ldns-users] ldns_dnssec_verify_denial() usage
Willem Toorop
willem at nlnetlabs.nl
Mon Jun 18 12:34:38 UTC 2018
Op 15-06-18 om 15:31 schreef Jurijs Klopovskis:
> Hello.
>
> I have a question about using ldns_dnssec_verify_denial() and
> ldns_dnssec_verify_denial_nsec3() functions.
>
> Right now in out code we perform denial of existence checks with these
> functions only if ldns_verify() function has failed with
> LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY.
>
> Is this sane?
Did you start out with a ldns_pkt?
If there were no RRsets for qname and qtype in the pkt, you can skip
ldns_verify() and start looking for NSECs (for
ldns_dnssec_verify_denial() ) or NSEC3s (for
ldns_dnssec_verify_denial_nsec3() ) right away.
But even when you did found RRsets for qname and qtype and ldns_verify()
returned LDNS_STATUS_OK, you still have to check whether it validated a
wildcard match, in which case you have to verify that a more specific
qname/qtype did not exist.
Note that getdns has a more convenient higher level function for this:
https://getdnsapi.net/functions/getdns_validate_dnssec.html
https://getdnsapi.net/functions/getdns_validate_dnssec2.html
Which can take a whole DNS message/packet as input and return the DNSSEC
status, regardless of whether the reply is for a NOERROR, NXDOMAIN or
NODATA response. Also wildcard responses are validated correctly
automatically with that function. (and you don't have to handle NSECs
and NSEC3s differently either).
-- Willem
>
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users
More information about the ldns-users
mailing list