[getdns-api] DANE with dnssec_return_only_secure extension

Willem Toorop willem at nlnetlabs.nl
Tue Jul 1 07:33:15 MST 2014

op 01-07-14 16:24, Shumon Huque schreef:
> Right.
> Can't we use the "dnssec_status" component of the response dictionary
> (set if the "dnssec_return_status" extension is specified) to examine
> this? I assume it will have GETDNS_DNSSEC_BOGUS in this case.

It doesn't have that because the dnssec_return_status does validation
and will not include BOGUS answers.  You have to also enable
dnssec_return_validation_chain to include BOGUS packets too.

More information about the getdns-api mailing list