DNSSEC-Tools being migrated -- expect broken links.
The process to convert older wiki pages to our new site is not yet complete; please be patient while we work through the moving process. -- 2018-08-11
DNSSEC Application DevelopmentThis is a short introduction to dnssec-tools for those that want to write applications that support DNSSEC.
libvallibval. The base DNSSEC-Tools tool to use for development is the validation library, libval. In order to support DNS calls, libval provides a set of API's similar to the standard set of resolver API's. Although the function headers should be checked to make sure, the following are generally true for similar function calls in the standard library and in libval:
- common API function calls have similar names except that libval calls have a val_ prefix.
- usually two additional parameters are added:
- val_status_t parameter used to store success/failure of validation
- val_context_t parameter used to store context for validation (allowed to be 'null' which uses a default context)
ExampleExample. Below is some pseudo code as an example of a simple conversion from using the standard 'res_query' call to using libval's 'val_res_query'. Standard call: Using libval's call: [libval included during linking] If desired, more information about the validation status of a query can be pulled from libval. Using additional libval API's and data structures a program can delve into the validation chain to find exactly where and how a query failed validation. But often, the only information needed is whether or not the query can be trusted.
TrustTrust. Libval's trust is configurable. The file dnsval.conf, usually in /usr/local/etc/dnssec-tools/, holds the configuration information for validation. That is, it contains the list of trust anchors to use, the list of domains that require DNSSEC validation, and the list of domains that do not require DNSSEC validation. Domains in dnsval.conf that require validation are only considered trusted if the queries for those domain can be successfully validated. Domains in dnsval.conf that do not require validation are considered implicitly trusted. That is, standard DNS responses from those domains are trusted.
libval_shimlibval_shim. The libval_shim library is designed to be dynamically loaded by applications using the 'LD_PRELOAD' mechanism supported on linux and various other unix-like platforms. If used in this manner the functions exported by libval_shim are used ahead of the functions normally exported by system resolver libraries. As long as the application uses one of the legacy resolver API calls [gethostbyname(), gethostbyaddr(), getaddrinfo(), getnameinfo(), res_query(), res_search(), getipnodebyname() and getipnodebyaddr()] libval_shim automatically interleaves DNSSEC processing for the given function call and only returns a result if DNSSEC processing succeeds. Users need to ensure that the libval_shim library is loaded prior to the target application's execution. A typical way of achieving this is to set the LD_PRELOAD variable within the environment of the the target application prior to execution. Since libval_shim internally makes use of libval, the mechanism for configuring trust and policy settings for libval_shim is almost identical to that of libval. The only difference is that since the applications that make use of libval_shim are expected to be DNSSEC-unaware, there is no way for the application itself to specify a validation policy to use. libval provides two ways for libval_shim to select a specific validation policy for a given application (see the man page for dnsval.conf for additional details). If neither of these options are enabled, libval_shim uses the default validator context for its validation policy.