[gnutls-help] DANE caching with dane_state_t
nmav at gnutls.org
Tue Apr 26 09:21:32 CEST 2016
On Mon, Apr 25, 2016 at 1:26 PM, Rick van Rein <rick at openfortress.nl> wrote:
> I am not certain how to use dane_state_t. I found
> Note that the dane_state_t structure that is accepted by
> both verification functions is optional. It is required
> when many queries are performed to facilitate caching. The
> following flags are returned by the verify functions to
> indicate the status of the verification.
> I assume it is not really "required" under this vague ("many queries")
Indeed. The text is too vague.
"Note that the dane_state_t structure that is accepted by both
verification functions is optional. It is required when many queries
are performed to optimize against multiple re-initializations of the
resolving back-end and loading of DNSSEC keys."
Is that more clear?
> I would however like to use caching. Should I
> [A] use a separate dane_state_t on each query, with its own
> dane_state_init() and dane_state_deinit() around it, or
> [B] share one setup by dane_state_init() when initialising my
> program and one dane_state_deinit() when tearing it up?
The intention is to be able to re-use the state for multiple resolvings.
More information about the Gnutls-help