[getdns-api] DANE with dnssec_return_only_secure extension
Shumon Huque
shuque at gmail.com
Tue Jul 1 16:24:40 CEST 2014
On Tue, Jul 1, 2014 at 10:14 AM, Willem Toorop <willem at nlnetlabs.nl> wrote:
> op 01-07-14 15:34, Paul Hoffman schreef:
> > The API got a positive response: it simply didn't pass validation. So,
> for bogus answers, dnssec_return_only_secure that gets at least one answer
> back should return GETDNS_RESPSTATUS_GOOD, even if they are all bogus. In
> the case that any of the answers are bogus, the replies_tree and
> replies_full are not filled in. Thus, if they are all bogus, both of those
> dicts are empty.
> >
> > An application that sees a good reply that is empty knows that it should
> proceed with normal PKIX validation.
>
> According to RFC6698 applications should *NOT* proceed normal PKIX
> validation on BOGUS answers. That is why I am raising this issue in the
> first place!
>
> I quote second point of section 4.1:
>
> o If the DNSSEC validation state on the response to the request for
> the TLSA RRSet is bogus, this MUST cause TLS not to be started or,
> if the TLS negotiation is already in progress, MUST cause the
> connection to be aborted.
>
>
Right.
Can't we use the "dnssec_status" component of the response dictionary (set
if the "dnssec_return_status" extension is specified) to examine this? I
assume it will have GETDNS_DNSSEC_BOGUS in this case.
--Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://getdnsapi.net/pipermail/spec/attachments/20140701/b6dd5da1/attachment.html>
More information about the spec
mailing list