cURL / Mailing Lists / curl-library / Single Mail


Re: libcurl and DANE support

From: Suresh Krishnaswamy <>
Date: Fri, 8 Mar 2013 12:58:38 -0500


On Mar 7, 2013, at 5:03 PM, Daniel Stenberg wrote:

> A. The check should check for the required libs properly using
> correct autoconf mechanisms. What's the reason you need to specify
> -lsres and -lpthread when you're "only" using the val-threads lib? For
> static linking?

The dnsval component is actually split into a set of two libraries - libval and libsres.
libval in turn can be built with or without thread support. When built with thread support (we attach the -threads suffix to the library name in that case) we also need pthread support. The change to was a quick way to get the HAVE_DNSVAL_DANE definition in place without diving too deep into the existing configure script structure. I agree that it would be better to have a more robust set of checks here.
> B. I would like a more generic placement of the DANE checks so that we can do
> it independently of what SSL backend we build libcurl to use.
> Is there anything speaking against it being functional when not using
> OpenSSL?

libval uses libcrypto internally for all its DNSSEC-related crypto checks, so currently the patch implicitly relies on openSSL for DANE support. Given the current dependency on openSSL I wasn't sure if there was a way to move the DANE checks in curl to a more generic location. That said, we are looking to add support for other crypto libraries in libval in the near future.
> C. I think we need options to control whether DANE should be checked at all,
> and possibly we should allow users to force DANE checks to be used (and
> fail if they fail).

Fully agree.

> D. val_getdaneinfo() seems like a blocking function call. Since it involves
> DNS and what not, that could potentially take a very long time. Is there
> any non-blocking alternative APIs or what can we do to avoid long blocks?
> Is there documentation somewhere for the lib?

The val_dane_submit() function provides the asynchronous lookup capability and there's sample code in the validator/apps directory of the dnsval package that illustrates its use. I've also put up a man page for the DANE-related functions at

A general description of the asynchronous lookup API is at, but I'll try and also create a manual page version for the async functions in a little bit.

> E. I can't download dnsval. I tried it from
> but I get a 403
> "Forbidden". (and I didn't find any debian package for it as a backup
> solution)

Sorry, permissions should be fixed now.


> F. There's some minor code style violations.
> --
> /
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2013-03-08