library: dnssec validation (module, APIs, prep)
Idea
wip
Steps
-
Fetch/store RRSIGs in the record cache -
Put this in cache unit test
-
-
Obstacle 1 -
Make a generic crypto API for signature verification -
Look at different crypto backends and assess them (CC @jvcelak) -
Select a crypto backend and implement verification for it -
Make a unit test for mock signature verification
-
-
Validate RRSIGs in packet (if required) -
Start playing with the tests/testdata/test_notimpl
DNSSEC tests
-
-
Validate trust chain -
Obstacle 2 -
Process DS
records -
RFC5011 for root trust anchor management
-
-
Integration tests should pass now
^ fixme @kslany