[getdns-api] DANE with dnssec_return_only_secure extension

Shumon Huque shuque at gmail.com
Tue Jul 1 07:49:24 MST 2014

On Tue, Jul 1, 2014 at 10:33 AM, Willem Toorop <willem at nlnetlabs.nl> wrote:

> op 01-07-14 16:24, Shumon Huque schreef:
> > Right.
> >
> > Can't we use the "dnssec_status" component of the response dictionary
> > (set if the "dnssec_return_status" extension is specified) to examine
> > this? I assume it will have GETDNS_DNSSEC_BOGUS in this case.
> It doesn't have that because the dnssec_return_status does validation
> and will not include BOGUS answers.  You have to also enable
> dnssec_return_validation_chain to include BOGUS packets too.

Ah, got it. I agree that we probably don't want application developers to
trudge through the validation chain to get this indication, so I think a
simpler way is needed to distinguish the bogus answer case. Your suggestion
of a GETDNS_RESPSTATUS_BOGUS sounds reasonable to me. This seems easier
than inferring it from (Paul's suggestion of) a combination of a positive
status code and an empty response dict component. As for the RESPSTATUS
list not containing DNSSEC specific responses, it already has one right?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.vpnc.org/pipermail/getdns-api/attachments/20140701/a627a169/attachment.html>

More information about the getdns-api mailing list