Functions | |
| getdns_return_t | getdns_validate_dnssec (const getdns_list *to_validate, const getdns_list *support_records, const getdns_list *trust_anchors) |
| getdns_list * | getdns_root_trust_anchor (time_t *utc_date_of_anchor) |
| getdns_return_t | getdns_validate_dnssec2 (const getdns_list *to_validate, const getdns_list *support_records, const getdns_list *trust_anchors, time_t validation_time, uint32_t skew) |
Detailed Description
Function Documentation
◆ getdns_validate_dnssec()
| getdns_return_t getdns_validate_dnssec | ( | const getdns_list * | to_validate, |
| const getdns_list * | support_records, | ||
| const getdns_list * | trust_anchors | ||
| ) |
Offline DNSSEC validate Resource Records with the help of support records and a DNSSEC trust anchor.
- See also
- DNSSEC values and texts
- Parameters
-
to_validate This is a list of reply_dicts to validate (as can be seen under "replies_tree" in a response dict), or an RRset with signatures represented as a list of rr_dicts. The format of rr_dict can be seen in the sections of reply_dicts in response dicts. It is also possible to validate the non-existance of a query. Besides all the necessary NSEC(3)s plus signature, the to_validate should then also contain a question rr_dict with a qname, qclass and qtype. support_records A list of all the DNSKEY, DS and NSEC(3) RRsets (in the form of rr_dicts) that may be used to validate the RRsets or replies in to_validate. The value returned under "validation_chain" in a response dict when the dnssec_return_validation_chain extension was used, can be used directly for this. trust_anchors A list of rr_dicts containing the DNSSEC trust anchors. The return value of the getdns_root_trust_anchor() can be used directly for this.
- Returns
- The function returns one of GETDNS_DNSSEC_SECURE, GETDNS_DNSSEC_BOGUS, GETDNS_DNSSEC_INDETERMINATE, or GETDNS_DNSSEC_INSECURE depending on the validation status.
◆ getdns_root_trust_anchor()
| getdns_list* getdns_root_trust_anchor | ( | time_t * | utc_date_of_anchor | ) |
Get the default list of trust anchor records that is used by the library to validate DNSSEC.
- Parameters
-
utc_date_of_anchor Set to the number of seconds since epoch the trust anchors were obtained
- Returns
- The list of DNSSEC trust anchors, or NULL on error. The caller is responsible for deallocating the list with getdns_list_destroy().
◆ getdns_validate_dnssec2()
| getdns_return_t getdns_validate_dnssec2 | ( | const getdns_list * | to_validate, |
| const getdns_list * | support_records, | ||
| const getdns_list * | trust_anchors, | ||
| time_t | validation_time, | ||
| uint32_t | skew | ||
| ) |
Validate replies or resource records.
- See also
- DNSSEC values and texts
- Parameters
-
to_validate A list of RR-dicts with companion RRSIG-RR-dicts which will be validated. Or a list of reply-dicts that will be validated. The "replies_tree" list of a response dict can be used directly here. support_records A list of DS's RR-dicts and DNSKEY RR-dicts with companion RRSIG-RR-dicts that lead up from one of the trust_anchors to the RR-dicts or replies to validate. The "validation_chain" list of a response dict (with the dnssec_return_validation_chain extension) can be used directly here. trust_anchors The list of trusted DNSKEYs or DS'es RR-dicts. The result of the getdns_root_trust_anchor() or the getdns_context_get_dnssec_trust_anchors() function can be used directly here. validation_time The point in time in seconds since 1 January 1970 00:00:00 UTC, ignoring leap seconds, wrapping using "Serial number arithmetic", as defined in RFC1982. skew The numer of seconds of skew that is allowed in either direction when checking an RRSIG's Expiration and Inception fields
- Returns
- The dnssec status of validated records or replies, GETDNS_DNSSEC_SECURE, GETDNS_DNSSEC_INSECURE, GETDNS_DNSSEC_INDETERMINATE or GETDNS_DNSSEC_BOGUS, or an error return code.