[getdns-api] DANE with dnssec_return_only_secure extension

Willem Toorop willem at nlnetlabs.nl
Tue Jul 1 07:14:41 MST 2014

op 01-07-14 15:34, Paul Hoffman schreef:
> The API got a positive response: it simply didn't pass validation. So, for bogus answers, dnssec_return_only_secure that gets at least one answer back should return GETDNS_RESPSTATUS_GOOD, even if they are all bogus. In the case that any of the answers are bogus, the replies_tree and replies_full are not filled in. Thus, if they are all bogus, both of those dicts are empty.
> An application that sees a good reply that is empty knows that it should proceed with normal PKIX validation.

According to RFC6698 applications should *NOT* proceed normal PKIX
validation on BOGUS answers.  That is why I am raising this issue in the
first place!

I quote second point of section 4.1:

   o  If the DNSSEC validation state on the response to the request for
      the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
      if the TLS negotiation is already in progress, MUST cause the
      connection to be aborted.

More information about the getdns-api mailing list