[gnutls-devel] [patch] DANE_F_IGNORE_DNSSEC
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Oct 23 18:47:49 CEST 2013
On 10/23/2013 12:09 PM, Christian Grothoff wrote:
> Hi!
>
> With the new dane_raw_tlsa and dane_verify_crt_raw APIs, it is now
> possible to
> validate a certificate chain against DANE/TLSA data that was not fetched by
> libunbound. However, even though DNSSEC might not have been used to
> obtain the
> DANE/TLSA data, GnuTLS currently always attempts to load the DNSSEC root key
> and if that fails the DANE/TLSA validation is not possible --- even though
> DNSSEC itself is not triggered by dane_raw_tlsa/dane_verify_crt_raw.
>
> The attached patch adds an option DANE_F_IGNORE_DNSSEC which can be used to
> disable loading of the DNSSEC root key. Naturally, if the option is not
> explicitly set, everything stays as it was (so the change is
> backwards-compatible).
Applied. Thank you.
More information about the Gnutls-devel
mailing list