[ldns-users] [PATCH 0/3] Add full validating capabilities to ldns

[Jelte Jansen]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simon Vallet wrote:
> Hi,
> 
> these series of patches adds rudimentary full validation to ldns, which
> has been tested in the following cases:
> 
> Configured anchor (ZSK) -> RR
> Configured anchor (KSK) -> ZSK -> RR
> Configured anchor (KSK) -> ZSK -> DS -> ZSK -> RR
> 
> Please consider these for integration
> 

I have looked at the patches, and they look very useful. Thanks again.

However, I don't think i want to leave the functions as they are now. I
think it needs more error feedback (as they are, it almost always
returns 'general error' on any dnssec error. While this might not be a
problem for apps that only want to know 'ok' or 'not ok', it will be for
more specified applications that want to know what went wrong.

A lesser problem is something that is a bug in my opinion; the
fetch_valid_domain_keys does not convey its status back to its calling
function; my proposal for that would be to not let it return the
trusted_keys value, but rather pass that one as a pointer argument, and
return the status code.

But what i want to reach is the point where one can see at what level
and what the underlying error was; like
'validation failed at bogussig.test.jelte.nlnetlabs.nl; The DS record
could not be validated: Bogus Signature'.

But i need some time to examine how to put this in an (easy, or at least
sane) API. Which has reminded me why i hadn't put this in the library yet :)

If you have any objections to this, i can also make extra functions that
to this, and leave your functions as they are (at least on the API level).

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGSxuK4nZCKsdOncURAqZIAJ47srQgmq6qpeVr2KVrINGeY1nyuACfaEGG
8DlFH6OTOvp6uiZfHL5Ez+M=
=TS6n
-----END PGP SIGNATURE-----