Hello Evan, Thanks you so much for answering my questions. Inline my comments.
But why do you need your application to contain a recursive resolver? 1. Assume if I use an external recursive resolver and if that resolver does not support DNSSEC, how can I validate the signature? 2. If I use an external resolver and if a hacker sits in between my system and the external resolver, will it detect ? 3. When the external resolver resolve a query and when it response back to the client , will it strip off the signatures? I assume the validation is already done at the recursive resolver. 4. Can I integrate dnsmasq option with my client application? Any reference. Thanks once again for your help and time. Rgds Simon On Tue, Feb 13, 2018 at 1:11 PM, Evan Hunt <e...@isc.org> wrote: > On Tue, Feb 13, 2018 at 12:42:26PM -0800, SIMON BABY wrote: > > My requirement is to implement only the recursive resolve and validation > > part of the DNSSEC in my client application. Our CPU and memory are very > > limited. So I am not sure I can go and use BIND 9. > > But why do you need your application to contain a recursive resolver? > > I can understand why you'd want a built-in validator, but you don't need > to do full recursive resolution for that; you can send queries to an > external resolver and then validate the responses. > > > With BIND 9, can I integrate the library in my application to send > queries > > and validate the answer in my client code itself. Can you please point if > > any sample code. > > If you're content to do as I suggested above - send queries to an external > resolver, validate the responses - then see the command 'delv' in the > BIND 9 source tree; it does that. > > Implementing a full resolver with a library is possible in BIND 9.12, > in which we spun off a lot of the name server code into a new libns > library. I can't point you to any sample code other than named itself, > though. > > Given what you said about limited CPU and memory, I can't really recommand > either solution. I'd probably just use dnsmasq and turn on its DNSSEC > validation option. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
