[DNSSEC-Transparency] [getdns-users] Example using the "dnssec_return_validation_chain" extension

Willem Toorop <willem at nlnetlabs.nl> wrote Sun, 3 Apr 2016 08:45:45 -0300: | > Next question is if I can somehow access the canonicalised data that the | > validation is based on? From skimming the code, it seems to me that | > canonicalisation is performed but I haven't figured out if it's safe to | > assume that I could simply use the data in getdns_list's that I passed | > to getdns_validate_dnssec2() once it returns. | | No, the verification buffers are temporarily used for the verification | process only. But why do you need the canonicalized form? (Cross posting to dnssec-transparency@ where this discussion is more on topic.) A DNSSEC Transparency log server should store RR's in canonicalised form in order to be able to return an old SCT when a submitted record already exists in the log. Without this it'd be even easier to spam a log to death. At least that's my understanding of why this is important. Another less important reason would be to make it easier for auditors and monitors to verify log behaviour and content.

Thinking some more about it, duplicate checks should probably be performed on the submitted DS record (and possibly its accompanying RRSIG) only. I'm still pretty sure it should be canonicalised.