[Openswan dev] [ldns-users] function call backs in ldns_resolver_send*?

Paul Wouters paul at xelerance.com
Tue Dec 14 09:56:27 EST 2010 

On Tue, 14 Dec 2010, Miek Gieben wrote:

[somewhat stealing this thread, apologies]

> How hard would it be to extend the ldns library with 2 new functions
> that support callbacks? So to make asynchronous sending of queries
> possible?
>
> I was thinking about the following prototypes:
>
> ldns_resolver_send_callback(cb_func, ldns_resolver *r, const
>        ldns_rdf *name, ldns_rr_type t, ldns_rr_class c, uint16_t flags);
> ldns_resolver_send_pkt_callback(cb_func, ldns_resolver *r, ldns_pkt *query_pkt);
>
> The cb_func prototype should be able to fill a ldns_pkt struct, so it
> might be:
> ldns_status cb_func(ldns_pkt *k)
>
> I have never dealt with callback functions, so I don't know if this is
> a viable proposal and how it impacts the rest of the ldns design.

This reminds me of a design decision we have to make (but postponed). That is
to add better DNSSEC support to Openswan. It currently supports the bind lwres{}
interface, which requires running a local bind. It does not yet support/use the
AD bit.

The question is, where should the DNSSEC code be and where should the cache be?
Assuming something like the above is added, we have the following choices:

1) dnssec resolver using a more generic query to localhost from openswan

2) using stubunbound or similar, and move the resolver/cache into openswan

3) using ldns with callbacks (no cache?)

Currently, openswan accepts host keys from DNS even if no DNSSEC is present. This
will be changed to require DNSSEC, meaning we need to have some confidence that
we obtained this data securely, including the currently "undetectable last mile".

With Opportunistic Encryption enabled, there could be quite some caching overlap
with over applications (eg firefox) doing something similar by validating data in
the same zone with the same DNSKEY's, for instance when firefox would support the
new DANE draft: https://datatracker.ietf.org/doc/draft-ietf-dane-protocol/?include_text=1

Though hooking up libunbound would protect us from weird system resolver settings
and insecurities. But apps like Openswan and Firefox would be doing a lot of repeat
work.

Advise? Thoughts?

In general, to get back a little to Miek's question is, do you really want callbacks
with ldns, or would you be better of using ldns indirectly via libunbound or friends?

Paul

More information about the Dev mailing list