Libval and libsres

From DNSSEC-Tools
Jump to: navigation, search
{{#if:| {{#if:| {{#if:| {{#if:| {{#if:| {{#if:|
DNSSEC-Tools Component
Libval and libsres
This describes Libval and libsres, which in the Application Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: Libval and libsres
Tool Type: Application Tools
Manual: and libsres.html Manual

}}

Example: and libsres-example.txt Example

}}

CLI: and libsres-help.txt Help

}}

Tutorial: Tutorial

}}

How To: and libsres-dnssec-howto.txt How To

}}

Download: Libval and libsres

}}


Overview

libval is a validating library that comes with the DNSSEC-Tools package. It allows applications to issue DNS queries and verify that the returned responses are trusted as defined by the policies defined in the system's dnsval.conf file. libsres is a resolver library that libval makes use of when querying the net for DNS data. Generally, application developers will only need to use the APIs defined in the libval library.

Libval was probably the first DNSSEC stub validator implementation that came about for the current DNSSEC specification. It is based on an API defined in an internet-draft: draft-hayatnagarkar-dnsext-validator-api. Libval is needed, in addition to a validating recursive name servers, to give application authors complete assurance that validation was performed locally. This cannot be guaranteed if only a recursive name server is relied upon for validation since the determination of "local" is made by the resolver's administrator. An assumption on the locality of a nameserver may hold one day, but not on another. Policies applicable for the global system may also not be sufficient for a particular application, whereas libval provides each application with a resolution policy framework they can tailor if need be.

Features

Some of the high-level features of libval are given below:

  • It provides the application with a robust API for determining validation status and the reasons for validation failures.
  • It provides flexibility and greater control over defining *application-specific* validation policies
  • The -threads version is thread-safe. The library can also be built on systems that do not support threads.
  • It has the ability to send out asynchronous queries, where the application can continue to do other tasks while the different lookups on-the-wire complete. In the libval implementation we support the async querying ability without having to spawn a new thread or a new process.
  • It will work nicely if you provide it with a recursive name server to direct its queries to. If recursive name servers are not available or if the default name servers provided to libval are broken in some respect, libval will attempt an iterative lookup from root in order to find an answer that it can work with.
  • The library has been ported to a number of platforms including certain "mobile" device platforms such as Android, Maemo, Meego and Harmattan.
  • There are probably more worked examples of applications that have been made DNSSEC-capable using libval than other libraries at present.
  • Contains initial support for DANE. Full DANE support should be available soon.

Example Policy Specifications

TBD

Comparison

The following other DNSSEC validation libraries exist besides libval:

Comparison Chart

Feature libval ldns knot
Language C C C
License BSD BSD GPLv3
Requires
  • OpenSSL
  • OpenSSL
  • liburcu
  • OpenSSL
  • lex / bison
Optional
  • pthread
  •  ???
  •  ???
DNSSEC Support Yes Yes Yes
GOST support No Yes Yes (I think?)
ECDSA support Yes Yes Yes
Python Bindings
Can the library be called easily from within python?
Yes Yes No
Perl Bindings
Can the library be called easily from within perl?
Yes No No
Asynchronous API
Can multiple packets be sent without using threads?
Yes No
libunbound can though
No ??
Synchronous API Yes Yes Yes
Thread-safe Yes Yes Yes
Can be built without threads
Useful on some embedded systems without threads support
Yes Yes ? No
Legacy Exact API Replacements
Does the library offer easy getaddrinfo, gethostbyname, etc replacement functions
Yes No No
Shim Library
Can non-linked applications be loaded with automatic replacement functions without relinking
Yes No No
Application Specific Contexts and Policies
Can applications require different DNSSEC support levels, etc, specific to their needs vs system-wide settings
Yes No No
DANE Support
Does the library provide a DNSSEC/DANE secured TLS connection API
Yes Yes No
Smart fallback strategies
Does the library detect it's behind broken resolvers or middleboxes and attempt to work around problems automatically?
Yes Unknown Unknown
C-API for signing/reading zone files No Yes Unknown (probably)
CLI Tools (lookups, etc) Yes Yes Yes
Extensive debugging output Yes Unknown Unknown
Time in ms for 100,000 validated www.dnssec-tools.org lookups
uses a local 127.0.0.1 resolver as seed
test code used
10293 39782
uses libunbound
Unknown