[getdns-api] DANE with dnssec_return_only_secure extension

Shumon Huque shuque at gmail.com
Tue Jul 1 07:24:40 MST 2014

On Tue, Jul 1, 2014 at 10:14 AM, Willem Toorop <willem at nlnetlabs.nl> wrote:

> op 01-07-14 15:34, Paul Hoffman schreef:
> > The API got a positive response: it simply didn't pass validation. So,
> for bogus answers, dnssec_return_only_secure that gets at least one answer
> back should return GETDNS_RESPSTATUS_GOOD, even if they are all bogus. In
> the case that any of the answers are bogus, the replies_tree and
> replies_full are not filled in. Thus, if they are all bogus, both of those
> dicts are empty.
> >
> > An application that sees a good reply that is empty knows that it should
> proceed with normal PKIX validation.
> According to RFC6698 applications should *NOT* proceed normal PKIX
> validation on BOGUS answers.  That is why I am raising this issue in the
> first place!
> I quote second point of section 4.1:
>    o  If the DNSSEC validation state on the response to the request for
>       the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
>       if the TLS negotiation is already in progress, MUST cause the
>       connection to be aborted.

Can't we use the "dnssec_status" component of the response dictionary (set
if the "dnssec_return_status" extension is specified) to examine this? I
assume it will have GETDNS_DNSSEC_BOGUS in this case.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.vpnc.org/pipermail/getdns-api/attachments/20140701/b6dd5da1/attachment-0001.html>

More information about the getdns-api mailing list