Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Using/validating DANE certs?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Daniel Stenberg via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 11 Sep 2025 10:47:45 +0200 (CEST)
On Mon, 8 Sep 2025, Timothe Litt via curl-library wrote:
> Implementing DNSSEC validation in an application is discouraged in 3655.
>
> It's analogous to implementing TCP over UDP in the application because you
> don't trust the kernel's TCP stack...
I beg to differ. That's a completely different matter.
If curl doesn't verify the responses itself, how can a user be *sure* the DANE
cert they are going to use is the right one?
Date: Thu, 11 Sep 2025 10:47:45 +0200 (CEST)
On Mon, 8 Sep 2025, Timothe Litt via curl-library wrote:
> Implementing DNSSEC validation in an application is discouraged in 3655.
>
> It's analogous to implementing TCP over UDP in the application because you
> don't trust the kernel's TCP stack...
I beg to differ. That's a completely different matter.
If curl doesn't verify the responses itself, how can a user be *sure* the DANE
cert they are going to use is the right one?
-- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-11