[gnutls-devel] [patch] DANE_F_IGNORE_DNSSEC

Christian Grothoff christian at grothoff.org
Wed Oct 23 12:09:40 CEST 2013


Hi!

With the new dane_raw_tlsa and dane_verify_crt_raw APIs, it is now
possible to
validate a certificate chain against DANE/TLSA data that was not fetched by
libunbound.  However, even though DNSSEC might not have been used to
obtain the
DANE/TLSA data, GnuTLS currently always attempts to load the DNSSEC root key
and if that fails the DANE/TLSA validation is not possible --- even though
DNSSEC itself is not triggered by dane_raw_tlsa/dane_verify_crt_raw.

The attached patch adds an option DANE_F_IGNORE_DNSSEC which can be used to
disable loading of the DNSSEC root key.  Naturally, if the option is not
explicitly set, everything stays as it was (so the change is
backwards-compatible).


Happy hacking!

Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Adding-option-DANE_F_IGNORE_DNSSEC-to-disable-loadin.patch
Type: text/x-patch
Size: 2482 bytes
Desc: not available
URL: </pipermail/attachments/20131023/c933471a/attachment.bin>


More information about the Gnutls-devel mailing list