Bloat » Cerowrt

There's a bunch of stuff in dnssec-tools (some of which, AIUI, duplicates functionality already available in BIND 9).

The only bit I was interested in was libval, which has DNSSEC-validating versions of the get*by*() and get*info() functions. https://www.dnssec-tools.org/wiki/index.php/Libval_and_libsres

what I want is the NON dnssec validating versions of those functions! Not in there?

Dave Täht wrote:

what I want is the NON dnssec validating versions of those functions! Not in there?

No, what you want is the validating version.

The standard getaddrinfo() simply asks the resolver for an address. The resolver attempts to validate the data, fails, and returns SERVFAIL; you get nothing.

The validating version (I believe it's called val_getaddrinfo()) takes responsibility for validation by itself. It asks the resolver to provide the address data and associated DNSSEC data, warts and all, without validating it. (In other words it sets the CD bit on the query.) Then it does its own validation. What you get is the data requested, plus information about its validity, so you can decide for yourself whether to use the information or not.

Honestly, what you really want is a simple flag to getaddrinfo() to set the CD bit. But val_getaddrinfo() is one way to get there without having to muck with glibc or whatever library getaddrinfo() lives in.

Well, getting this right is on my list for RC6 or RC7. But I'm buried at a conference all week.