Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Using/validating DANE certs?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ali Mohammad Pur via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 11 Sep 2025 17:13:02 +0200
IMO it's "fine" to give curl the ability to validate DNSSEC standalone, we should just make sure the user can use their trusted DNSSEC-enabled stub/recursive (if they have one) without having curl re-validate everything.
I expect this will be the mode used by most people anyhow.
The main issue with validating DNSSEC within curl would be the latency as we won't have a cache of already-validated records across invocations; otherwise I don't see anything wrong with having curl spin up its own trusted stub via e.g. unbound.
Date: Thu, 11 Sep 2025 17:13:02 +0200
IMO it's "fine" to give curl the ability to validate DNSSEC standalone, we should just make sure the user can use their trusted DNSSEC-enabled stub/recursive (if they have one) without having curl re-validate everything.
I expect this will be the mode used by most people anyhow.
The main issue with validating DNSSEC within curl would be the latency as we won't have a cache of already-validated records across invocations; otherwise I don't see anything wrong with having curl spin up its own trusted stub via e.g. unbound.
-- Cheers, ~Ali Mohammad Pur
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-11