[ldns-users] ldns_dnssec_verify_denial() usage
Vladimir Levijev
vladimir.levijev at gmail.com
Mon Jun 18 14:08:46 UTC 2018
On Mon, Jun 18, 2018 at 3:34 PM Willem Toorop <willem at nlnetlabs.nl> wrote:
> Op 15-06-18 om 15:31 schreef Jurijs Klopovskis:
>
> > I have a question about using ldns_dnssec_verify_denial() and
> > ldns_dnssec_verify_denial_nsec3() functions.
> >
> > Right now in out code we perform denial of existence checks with these
> > functions only if ldns_verify() function has failed with
> > LDNS_STATUS_CRYPTO_NO_MATCHING_KEYTAG_DNSKEY.
> >
> > Is this sane?
>
> Did you start out with a ldns_pkt?
>
> If there were no RRsets for qname and qtype in the pkt, you can skip
> ldns_verify() and start looking for NSECs (for
> ldns_dnssec_verify_denial() ) or NSEC3s (for
> ldns_dnssec_verify_denial_nsec3() ) right away.
>
> But even when you did found RRsets for qname and qtype and ldns_verify()
> returned LDNS_STATUS_OK, you still have to check whether it validated a
> wildcard match, in which case you have to verify that a more specific
> qname/qtype did not exist.
>
> Note that getdns has a more convenient higher level function for this:
>
> https://getdnsapi.net/functions/getdns_validate_dnssec.html
> https://getdnsapi.net/functions/getdns_validate_dnssec2.html
>
> Which can take a whole DNS message/packet as input and return the DNSSEC
> status, regardless of whether the reply is for a NOERROR, NXDOMAIN or
> NODATA response. Also wildcard responses are validated correctly
> automatically with that function. (and you don't have to handle NSECs
> and NSEC3s differently either).
Did I understand correctly that in case of getdns I do not have a way
to specify the Name Server I want to query?
Cheers,
VL
More information about the ldns-users
mailing list