DNSSEC validation
Evan Hunt
each at isc.org
Tue Feb 13 21:11:00 UTC 2018
On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote:
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.
But why do you need your application to contain a recursive resolver?
I can understand why you'd want a built-in validator, but you don't need
to do full recursive resolution for that; you can send queries to an
external resolver and then validate the responses.
> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.
If you're content to do as I suggested above - send queries to an external
resolver, validate the responses - then see the command 'delv' in the
BIND 9 source tree; it does that.
Implementing a full resolver with a library is possible in BIND 9.12,
in which we spun off a lot of the name server code into a new libns
library. I can't point you to any sample code other than named itself,
though.
Given what you said about limited CPU and memory, I can't really recommand
either solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list