On 31/03/2014 13:42, Robert Bradley wrote:
> There is a val_getaddrinfo() available in libval which is based on
> http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-3.2
> if we want to go down that route.
<snip>
> The validation in that case is done entirely outside dnsmasq (with the
> CD bit set on the libval queries).  We have libval available already but
> not installed, so that is not a problem.  Implementing this in BusyBox
> and sysntpd may be a bit of an issue though.

I have a *very* rough implementation of this at
https://github.com/rb12345/busybox (ntpd-dnssec branch), based on
busybox HEAD.  However, this is completely untested at this point.  This
patch requires the libval and libsres libraries to operate and
introduces a new ENABLE_FEATURE_DNSSEC flag/config option.  When
enabled, the internal str2sockaddr/val_str2sockaddr function will always
validate DNSSEC signatures using the libval library.  The nice thing
about this is that if it works, upstream ISP support for DNSSEC is
unnecessary since all the queries and responses are performed locally. 
The downside is that everything in busybox that uses str2sockaddr is now
forced to do recursive DNSSEC lookups.

-- 
Robert Bradley