[gnutls-devel] [patch] DANE_F_IGNORE_DNSSEC

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Oct 23 18:47:49 CEST 2013

On 10/23/2013 12:09 PM, Christian Grothoff wrote:
> Hi!
> With the new dane_raw_tlsa and dane_verify_crt_raw APIs, it is now
> possible to
> validate a certificate chain against DANE/TLSA data that was not fetched by
> libunbound.  However, even though DNSSEC might not have been used to
> obtain the
> DANE/TLSA data, GnuTLS currently always attempts to load the DNSSEC root key
> and if that fails the DANE/TLSA validation is not possible --- even though
> DNSSEC itself is not triggered by dane_raw_tlsa/dane_verify_crt_raw.
> The attached patch adds an option DANE_F_IGNORE_DNSSEC which can be used to
> disable loading of the DNSSEC root key.  Naturally, if the option is not
> explicitly set, everything stays as it was (so the change is
> backwards-compatible).

Applied. Thank you.

More information about the Gnutls-devel mailing list