curl / Mailing Lists / curl-library / Single Mail

Buy commercial curl support. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder Daniel himself.

Re: Using/validating DANE certs?

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

From: Demi Marie Obenour <demiobenour_at_gmail.com>
Date: Thu, 11 Sep 2025 04:56:07 -0400

On 9/11/25 04:47, Daniel Stenberg via curl-library wrote:
> On Mon, 8 Sep 2025, Timothe Litt via curl-library wrote:
>
>> Implementing DNSSEC validation in an application is discouraged in 3655.
>>
>> It's analogous to implementing TCP over UDP in the application because you
>> don't trust the kernel's TCP stack...
>
> I beg to differ. That's a completely different matter.
>
> If curl doesn't verify the responses itself, how can a user be *sure* the DANE
> cert they are going to use is the right one?
systemd-resolved provides a D-Bus API that validates DNSSEC
and explicitly states if the data was authenticated or not.
Windows and macOS might have similar APIs, though I am not
familiar enough with either platform to say.

-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

-- 
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette:   https://curl.se/mail/etiquette.html

application/pgp-keys attachment: OpenPGP public key

application/pgp-signature attachment: OpenPGP digital signature

Received on 2025-09-11

This message: [ Message body ]
Next message: Timothe Litt: "Re: Using/validating DANE certs?"
Previous message: Daniel Stenberg via curl-library: "Re: Using/validating DANE certs?"
In reply to: Daniel Stenberg via curl-library: "Re: Using/validating DANE certs?"
Next in thread: Timothe Litt: "Re: Using/validating DANE certs?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]