Libunbound validation

Hi Wouter,

I have a very simple code:

#include <string.h>
#include <stdio.h>
#include <unbound.h>
#include <ldns.h>

int main(int argc, char **argv) {

  struct ub_ctx *ctx;
  struct ub_result *r;

  ldns_pkt *pkt;

  ldns_rdf rdf;

  int x = 0;

  ctx = ub_ctx_create();
  ub_ctx_add_ta(ctx, ". IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5");
  ub_ctx_hosts(ctx, NULL);
  ub_ctx_resolvconf(ctx, NULL);

  ub_resolve(ctx, "www.rhybar.cz", LDNS_RR_TYPE_AAAA, LDNS_RR_CLASS_IN, &r);

  ldns_wire2pkt(&pkt, r->answer_packet, r->answer_len);

  printf("%s\n", ldns_pkt2str(pkt));

  ub_ctx_delete(ctx);

  return 0;
}

And it resolvers www.rhybar.cz (which it shouldn't) without any problems.

What I am doing wrong?

Ondrej

Hi Ondřej,

The r->bogus is true.
    if(r->bogus) printf("bogus: %s\n", r->why_bogus);
that shows you why it was bogus.

(as an aside, r->secure is true when it is signed. Unsigned domains are
not secure and not bogus ...)

Best regards,
   Wouter

Hi Ondřej,

The r->bogus is true.
if(r->bogus) printf("bogus: %s\n", r->why_bogus);
that shows you why it was bogus.

(as an aside, r->secure is true when it is signed. Unsigned domains are
not secure and not bogus ...)

Silly me. Just a side notice - libevent and libev doesn't play well
along. I glued evldns from Ray with libunbound and it stopped
segfaulting after I linked evldns with libev.

I'll add code handling secure and bogus and send it back to Ray for
inclusion in evldns. That way we could have a tiny validating resolver
on top of libunbound, which you can run if you want to have validation
on your computer and you don't want full featured unbound (I call it
stubound :)).

O.