DNSSEC Validation Support Added to Dnsruby 1.30
(No Ratings Yet)
Loading ...I’m very pleased to announce the release of dnsruby version 1.30 (RDoc available here). This version constitutes a considerable advance of functionality on previous dnsruby releases. Although it is still possible to use dnsruby in just the same way (which proves useful for tools authors), it is now also capable of full DNSSEC validation, using either ISC’s DLV registry, IANA’s Trust Anchor Repository, or any trust anchors it is configured with.
Clients can configure the validation policy (e.g. whether to try local trust anchors first, followed by ITAR, then DLV, or some other order), whether to use recursion or a local resolver in the validation process, and manage the store of trusted keys themselves. Dnsruby still offers the verify method to verify a Message or RRSet against a set of keys, but also includes the validate method (called automatically by default) which kicks off a separate validation thread (if validation is necessary). This thread follows the chain of trust from the closest trusted key, and records the result in the Dnsruby::Message#security_level. Exceptions are only raised if the SecurityLevel is BOGUS.
Dnsruby::Recursor now includes a static authority cache. This means that dnsruby can now be used to perform entirely recursive querying - especially useful if you don’t trust your local resolvers, or they don’t yet speak a correct dialect of DNSSEC.
Other improvements include dynamic management of configured nameservers - more responsive ones will be preferred over slower, and servers which don’t respond at all, or give broken responses, will be pushed to the back of the line. A cache has been added for received (and validated) Messages. It is possible to avoid use of this cache on a Message basis.
Support for EventMachine has been removed. I’ve had to rework dnsruby’s event system considerably in order to include validation support, and it was no longer feasible to maintain two IO loops. The native Ruby event loop in dnsruby has no known issues, and that is the recommended (and only) option. It should still be possible to work dnsruby into EventMachine projects.
I plan to write another article soon, with more detail on how to achieve common DNS(SEC) tasks with dnsruby. In the meantime, please let me know if you have any issues using the latest version!
