Op 03-04-16 om 13:59 schreef Linus Nordberg:
Willem Toorop <willem at nlnetlabs.nl> wrote
Sun, 3 Apr 2016 12:46:24 -0300:
| Op 03-04-16 om 09:10 schreef Linus Nordberg:
| > Willem Toorop <willem at nlnetlabs.nl> wrote
| > Sun, 3 Apr 2016 08:45:45 -0300:
| >
| > | > Next question is if I can somehow access the canonicalised data that the
| > | > validation is based on? From skimming the code, it seems to me that
| > | > canonicalisation is performed but I haven't figured out if it's
safe to
| > | > assume that I could simply use the data in getdns_list's that I passed
| > | > to getdns_validate_dnssec2() once it returns.
| > |
| > | No, the verification buffers are temporarily used for the verification
| > | process only. But why do you need the canonicalized form?
| >
| > (Cross posting to dnssec-transparency@ where this discussion is more on
| > topic.)
| >
| > A DNSSEC Transparency log server should store RR's in canonicalised form
| > in order to be able to return an old SCT when a submitted record already
| > exists in the log. Without this it'd be even easier to spam a log to
| > death.
| >
| > At least that's my understanding of why this is important. Another less
| > important reason would be to make it easier for auditors and monitors to
| > verify log behaviour and content.
|
| Ok... well, then we need to do something about it :)
| So, the conversion to wireformat functions already get rid of
| compression if you remove the /rdata/rdata_raw fields from the rr_dicts.
| I suppose it could be an extra parameter in that conversion function to
| write out canonicalized form. Or a different function names... for
| example:
|
| getdns_return_t
| getdns_rr_dict2canonical_wire(
| const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
|
| getdns_return_t
| getdns_rr_dict2canonical_wire_buf(
| const getdns_dict *rr_dict, uint8_t *wire, size_t *wire_sz);
|
| getdns_return_t
| getdns_rr_dict2canonical_wire_scan(
| const getdns_dict *rr_dict, uint8_t **wire, size_t *wire_sz);
|
| What do you think?
That'd be very useful for my purposes.
Yes, I've been chewing on this a little bit, and considering that
canonical order also seems important, perhaps we can come up with some
more generic functions.
For example one to canonicalize a single rr_dict:
getdns_return_t
getdns_rr_dict_canonicalize(
const getdns_list *rr_dict, getdns_list **canonicalized_rr_dict);
and one to sort:
getdns_return_t
getdns_rr_dicts_sort(const getdns_list *unsorted, getdns_list **sorted);
where the sorting function makes sure the signature rr_dicts are right
behind the rrsets they sign.
What do you think?
-- Willem
| Are you only converting individual rr_dict's or complete replies as
| well? For complete replies it could also be interesting (for other use
| cases) to explicitly ask for name compression.
My validation program reads a set of RR's in wire format where the first
RR is a DS RR, the next one is an RRSIG RR covering the previous DS RR
and the rest are "support records", including RRSIG's.