[ldns-users] [PATCH 0/3] Add full validating capabilities to ldns
jelte at NLnetLabs.nl
Wed May 16 16:56:11 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Simon Vallet wrote:
> these series of patches adds rudimentary full validation to ldns, which
> has been tested in the following cases:
> Configured anchor (ZSK) -> RR
> Configured anchor (KSK) -> ZSK -> RR
> Configured anchor (KSK) -> ZSK -> DS -> ZSK -> RR
> Please consider these for integration
I have looked at the patches, and they look very useful. Thanks again.
However, I don't think i want to leave the functions as they are now. I
think it needs more error feedback (as they are, it almost always
returns 'general error' on any dnssec error. While this might not be a
problem for apps that only want to know 'ok' or 'not ok', it will be for
more specified applications that want to know what went wrong.
A lesser problem is something that is a bug in my opinion; the
fetch_valid_domain_keys does not convey its status back to its calling
function; my proposal for that would be to not let it return the
trusted_keys value, but rather pass that one as a pointer argument, and
return the status code.
But what i want to reach is the point where one can see at what level
and what the underlying error was; like
'validation failed at bogussig.test.jelte.nlnetlabs.nl; The DS record
could not be validated: Bogus Signature'.
But i need some time to examine how to put this in an (easy, or at least
sane) API. Which has reminded me why i hadn't put this in the library yet :)
If you have any objections to this, i can also make extra functions that
to this, and leave your functions as they are (at least on the API level).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ldns-users