Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Using/validating DANE certs?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Mon, 1 Sep 2025 15:53:41 +0200 (CEST)
On Mon, 1 Sep 2025, Ali Mohammad Pur Fard via curl-library wrote:
Thanks for your interest and willingness to help improving curl!
> Since DANE/TLSA has become much more common as a replacement for PKI
This is surprising to me. What data are you basing this statement on and what
PKI do you speak of here? The popular browsers don't support DANE, so
deploying it for the web seems like a lot of work for a rather small audience.
> In particular, I'm mostly interested in having libcurl expose a way for
> users to provide (or request the use of) a set of TLSA records, or somehow
> communicate that DANE should be used for the connection (as I'm trying to
> have DANE be a native alternative to PKI in Ladybird[1]). The request side
> of this is reasonably straightforward with openssl, at least.
We added "Support DANE" to the TODO document already in August 2012. I think
it would be cool to get support in and I know there is at least some interest
"out there".
We once had an attempt and I recall that we then had some challenges on
getting the DNSSEC stuff done correctly with the all the keys etc to verify
that the records we get are legitimate for the domain.
> I do have a patchset[2] that implements this as a proof of concept
Maybe you can start easy by explaining the libcurl API you have envisioned for
this, and what actions that would trigger?
It looks like you use c-ares for the DNS record fiddling, right?
Date: Mon, 1 Sep 2025 15:53:41 +0200 (CEST)
On Mon, 1 Sep 2025, Ali Mohammad Pur Fard via curl-library wrote:
Thanks for your interest and willingness to help improving curl!
> Since DANE/TLSA has become much more common as a replacement for PKI
This is surprising to me. What data are you basing this statement on and what
PKI do you speak of here? The popular browsers don't support DANE, so
deploying it for the web seems like a lot of work for a rather small audience.
> In particular, I'm mostly interested in having libcurl expose a way for
> users to provide (or request the use of) a set of TLSA records, or somehow
> communicate that DANE should be used for the connection (as I'm trying to
> have DANE be a native alternative to PKI in Ladybird[1]). The request side
> of this is reasonably straightforward with openssl, at least.
We added "Support DANE" to the TODO document already in August 2012. I think
it would be cool to get support in and I know there is at least some interest
"out there".
We once had an attempt and I recall that we then had some challenges on
getting the DNSSEC stuff done correctly with the all the keys etc to verify
that the records we get are legitimate for the domain.
> I do have a patchset[2] that implements this as a proof of concept
Maybe you can start easy by explaining the libcurl API you have envisioned for
this, and what actions that would trigger?
It looks like you use c-ares for the DNS record fiddling, right?
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-01