DNSSEC Application Development
From DNSSEC-Tools Wiki
This is a short introduction to dnssec-tools for those that want to write applications that support DNSSEC.
Contents |
Developing DNSSEC aware applications
libval
The base DNSSEC-Tools tool to use for development is the validation library, libval. In order to support DNS calls, libval provides a set of API's similar to the standard set of resolver API's. Although the function headers should be checked to make sure, the following are generally true for similar function calls in the standard library and in libval:
- common API function calls have similar names except that libval calls have a val_ prefix.
- usually two additional parameters are added:
- val_status_t parameter used to store success/failure of validation
- val_context_t parameter used to store context for validation (allowed to be 'null' which uses a default context)
Example
Below is some pseudo code as an example of a simple conversion from using the standard 'res_query' call to using libval's 'val_res_query'.
Standard call:
#include <resolv.h>
length = res_search((char *) dname,
(int) class, (int) type,
(unsigned char *) reply->buf, (int) sizeof(reply->buf));
if (length < 0) {
/* process errors */
}
Using libval's call: [libval included during linking]
#include <validator.h>
val_status_t val_status;
len = val_res_query((val_context_t *) NULL,
(char *) dname,
(int) class, (int) type,
(unsigned char *) reply->buf, (int) sizeof(reply->buf),
&val_status);
if ((length < 0) || (!val_istrusted(val_status))) {
/* process errors */
}
If desired, more information about the validation status of a query can be pulled from libval. Using additional libval API's and data structures a program can delve into the validation chain to find exactly where and how a query failed validation. But often, the only information needed is whether or not the query can be trusted.
Trust
Libval's trust is configurable. The file dnsval.conf, usually in /usr/local/etc/dnssec-tools/, holds the configuration information for validation. That is, it contains the list of trust anchors to use, the list of domains that require DNSSEC validation, and the list of domains that do not require DNSSEC validation. Domains in dnsval.conf that require validation are only considered trusted if the queries for those domain can be successfully validated. Domains in dnsval.conf that do not require validation are considered implicitly trusted. That is, standard DNS responses from those domains are trusted.
libval_shim
Software Summary
|
[edit] Application/Script Writers | ||
| libval libsres | Manual Manual | C libraries that implement DNSSEC aware DNS resolution APIs. |
| libval_shim | Manual | Preload shim library - maps DNS calls in legacy apps to equivalent DNSSEC functions. |
| DNS Error Checking Tools | ||
| Perl Modules: | ||
| Net::DNS::ZoneFile::Fast | Manual | Quickly read and parse a zone file into Net::DNS object records. |
| Net::DNS::SEC::Validator | Manual | Perl bindings to the libval and libsres libraries. |
| Net::addrinfo | Manual | interface to POSIX getaddrinfo and related constants, structures and functions |
