Validating DNSSEC signatures with the stub resolver #366
-
|
I'm using the stub resolver to perform SRV-based discovery of services on a domain. I'd like to ascertain whether the response has a valid DNSSEC signature. Do I understand correctly that the API for this is not yet finalised? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
Yes, the API is not considered stable. It is not clear how big the changes will be. The validator itself needs to get a worker task at some point. But the validator also uses the client transport code which is also unstable. Most likely future changes will at most require minor code changes, but we can't be sure. |
Beta Was this translation helpful? Give feedback.
-
|
I have a follow-up on this, since I want to clearly document the limitations of my tool which uses this crate. Suppose that my local DNS server is a validating resolver and it indicates that a DNSSEC signature is invalid for a given response (using RCODE=2, "Server Failure"; see [RFC4035]). In this case the stub resolver would return an |
Beta Was this translation helpful? Give feedback.
-
|
Correct. |
Beta Was this translation helpful? Give feedback.
Yes, the API is not considered stable. It is not clear how big the changes will be. The validator itself needs to get a worker task at some point. But the validator also uses the client transport code which is also unstable.
Most likely future changes will at most require minor code changes, but we can't be sure.