DNS resolver libraries with support for DNSSEC and/or experimental new RR types

Question

What's the state of the art in DNS resolver libraries? I am particularly interested in full (not stub) resolvers that support any or all of: making multiple queries in one request packet, complete DNSSEC validation, returning detailed information about DNSSEC validation to the application, and can handle experimental new RRs without much hacking. Async queries are nice but not required.

Preferred implementation languages would be C, C++, Python, or Javascript, but I'll look at anything (I'd really rather not know about your DNS resolver in INTERCAL, though ;-) A pure-JS implementation that could run in a browser with WebSockets support would be extra awesome.

Answer 1

The DNSSEC-Tools project has a libval C library (and a corresponding perl binding) that supports multi-threaded DNSSEC enabled lookups using their API. It is distributed on many linux platforms and works on most other platforms as well.

(in fact, I'm typing this response in a version of firefox that was linked against the library to provide DNSSEC protection for Firefox).

You can't ask two questions in a single packet though. Everyone else is right about that...

Answer 2

The best library I know of (and it includes DNSSEC validation) is libunbound which is part of the Unbound distribution.

Note that the DNS protocol itself does not support your first requirement (multiple queries in one packet). The best you can do is use TCP and then issue multiple sequential queries over one socket.