DNSSEC validation

Evan Hunt each at isc.org
Tue Feb 13 21:11:00 UTC 2018

On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote:
> My requirement is to implement only the recursive resolve and validation
> part of the DNSSEC in my client application. Our CPU and memory are very
> limited. So I am not sure I can go and use BIND 9.

But why do you need your application to contain a recursive resolver?

I can understand why you'd want a built-in validator, but you don't need
to do full recursive resolution for that; you can send queries to an
external resolver and then validate the responses.

> With BIND 9, can I integrate the library in my application to send queries
> and validate the answer in my client code itself. Can you please point if
> any sample code.

If you're content to do as I suggested above - send queries to an external
resolver, validate the responses - then see the command 'delv' in the
BIND 9 source tree; it does that.

Implementing a full resolver with a library is possible in BIND 9.12,
in which we spun off a lot of the name server code into a new libns
library.  I can't point you to any sample code other than named itself,

Given what you said about limited CPU and memory, I can't really recommand
either solution. I'd probably just use dnsmasq and turn on its DNSSEC
validation option.

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-users mailing list