Libval and libsres
libval is a validating library that comes with the DNSSEC-Tools package. It allows applications to issue DNS queries and verify that the returned responses are trusted as defined by the policies defined in the system's dnsval.conf file. libsres is a resolver library that libval makes use of when querying the net for DNS data. Generally, application developers will only need to use the APIs defined in the libval library.
Libval was probably the first DNSSEC stub validator implementation that came about for the current DNSSEC specification. It is based on an API defined in an internet-draft: draft-hayatnagarkar-dnsext-validator-api. Libval is needed, in addition to a validating recursive name servers, to give application authors complete assurance that validation was performed locally. This cannot be guaranteed if only a recursive name server is relied upon for validation since the determination of "local" is made by the resolver's administrator. An assumption on the locality of a nameserver may hold one day, but not on another. Policies applicable for the global system may also not be sufficient for a particular application, whereas libval provides each application with a resolution policy framework they can tailor if need be.
Some of the high-level features of libval are given below:
- It provides the application with a robust API for determining validation status and the reasons for validation failures.
- It provides flexibility and greater control over defining *application-specific* validation policies
- The -threads version is thread-safe. The library can also be built on systems that do not support threads.
- It has the ability to send out asynchronous queries, where the application can continue to do other tasks while the different lookups on-the-wire complete. In the libval implementation we support the async querying ability without having to spawn a new thread or a new process.
- It will work nicely if you provide it with a recursive name server to direct its queries to. If recursive name servers are not available or if the default name servers provided to libval are broken in some respect, libval will attempt an iterative lookup from root in order to find an answer that it can work with.
- The library has been ported to a number of platforms including certain "mobile" device platforms such as Android, Maemo, Meego and Harmattan.
- There are probably more worked examples of applications that have been made DNSSEC-capable using libval than other libraries at present.
- Contains initial support for DANE. Full DANE support should be available soon.
Example Policy Specifications
The following other DNSSEC validation libraries exist besides libval:
|GOST support||No||Yes||Yes (I think?)|
| Python Bindings
Can the library be called easily from within python?
| Perl Bindings
Can the library be called easily from within perl?
| Asynchronous API
Can multiple packets be sent without using threads?
libunbound can though
| Can be built without threads
Useful on some embedded systems without threads support
| Legacy Exact API Replacements
Does the library offer easy getaddrinfo, gethostbyname, etc replacement functions
| Shim Library
Can non-linked applications be loaded with automatic replacement functions without relinking
| Application Specific Contexts and Policies
Can applications require different DNSSEC support levels, etc, specific to their needs vs system-wide settings
| DANE Support
Does the library provide a DNSSEC/DANE secured TLS connection API
| Smart fallback strategies
Does the library detect it's behind broken resolvers or middleboxes and attempt to work around problems automatically?
|C-API for signing/reading zone files||No||Yes||Unknown (probably)|
|CLI Tools (lookups, etc)||Yes||Yes||Yes|
|Extensive debugging output||Yes||Unknown||Unknown|
| Time in ms for 100,000 validated www.dnssec-tools.org lookups
uses a local 127.0.0.1 resolver as seed
test code used