[ldns-users] ldns_dnssec_verify_denial() usage

Willem Toorop willem at nlnetlabs.nl
Mon Jun 18 12:34:38 UTC 2018

Op 15-06-18 om 15:31 schreef Jurijs Klopovskis:
> Hello.
> I have a question about using ldns_dnssec_verify_denial() and
> ldns_dnssec_verify_denial_nsec3() functions.
> Right now in out code we perform denial of existence checks with these
> functions only if ldns_verify() function has failed with
> Is this sane?

Did you start out with a ldns_pkt?

If there were no RRsets for qname and qtype in the pkt, you can skip
ldns_verify() and start looking for NSECs (for
ldns_dnssec_verify_denial() ) or NSEC3s (for
ldns_dnssec_verify_denial_nsec3() ) right away.

But even when you did found RRsets for qname and qtype and ldns_verify()
returned LDNS_STATUS_OK, you still have to check whether it validated a
wildcard match, in which case you have to verify that a more specific
qname/qtype did not exist.

Note that getdns has a more convenient higher level function for this:


Which can take a whole DNS message/packet as input and return the DNSSEC
status, regardless of whether the reply is for a NOERROR, NXDOMAIN or
NODATA response.  Also wildcard responses are validated correctly
automatically with that function.  (and you don't have to handle NSECs
and NSEC3s differently either).

-- Willem
> _______________________________________________
> ldns-users mailing list
> ldns-users at nlnetlabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/ldns-users

More information about the ldns-users mailing list