Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Using/validating DANE certs?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Ali Mohammad Pur via curl-library <curl-library_at_lists.haxx.se>
Date: Thu, 25 Sep 2025 14:32:25 +0200
Hey everyone!
I've put together a (basic) implementation of what I think DANE support
should look like [1],
for simplicity, here's the "general" set of requirements I gathered from
this thread:
- DANE validation itself (`--dane`)
- An upstream resolver that may or may not be trusted
(`--{trusted-}upstream-dns`)
- If the upstream is not trusted, curl should be able to do its own
DNSSEC validation (via unbound here, since I'm more familiar with that)
- Library user should be able to just hand curl the records, if it
trusts the validity (my requirement, `CURLOPT_ADD_DNS_RR`)
Should be reasonably easy to build, I've been using the following to
test it:
- should fail validation, excellent test suite in general [2]:
curl -vv --dane --upstream-dns 8.8.8.8 https://badhash.dane.huque.com/
- should pass, my personal web page:
curl -vv --dane https://cxbyte.me --add-dns-rr
AACBoAABAAIAAAABBmN4Ynl0ZQJtZQAAAQABwAwAAQABAAABGAAEkjtcrcAMAC4AAQAAARgAXQABDQIAAAEsaMmYTmjG2S6GyQZjeGJ5dGUCbWUA88TCNXPd4zVdaAVXfPTQelw1WHeLkH92ZUcrEUoR2Zm2kqxgg9MRtSrI+b0YuqWwfpts3PgOhfs8IMk6aDbGOAAAKQTQAACAAAAA
--resolve cxbyte.me:443:146.59.92.173
Since I saw some notes about not doing DNSSEC validation locally, I'd
like to remind that this is no more than spinning up a local stub
resolver - we're not reimplementing DNSSEC validation :)
[1]: <https://github.com/alimpfard/curl/tree/dane>
[2]: <https://www.huque.com/dane/testsite/>
Date: Thu, 25 Sep 2025 14:32:25 +0200
Hey everyone!
I've put together a (basic) implementation of what I think DANE support
should look like [1],
for simplicity, here's the "general" set of requirements I gathered from
this thread:
- DANE validation itself (`--dane`)
- An upstream resolver that may or may not be trusted
(`--{trusted-}upstream-dns`)
- If the upstream is not trusted, curl should be able to do its own
DNSSEC validation (via unbound here, since I'm more familiar with that)
- Library user should be able to just hand curl the records, if it
trusts the validity (my requirement, `CURLOPT_ADD_DNS_RR`)
Should be reasonably easy to build, I've been using the following to
test it:
- should fail validation, excellent test suite in general [2]:
curl -vv --dane --upstream-dns 8.8.8.8 https://badhash.dane.huque.com/
- should pass, my personal web page:
curl -vv --dane https://cxbyte.me --add-dns-rr
AACBoAABAAIAAAABBmN4Ynl0ZQJtZQAAAQABwAwAAQABAAABGAAEkjtcrcAMAC4AAQAAARgAXQABDQIAAAEsaMmYTmjG2S6GyQZjeGJ5dGUCbWUA88TCNXPd4zVdaAVXfPTQelw1WHeLkH92ZUcrEUoR2Zm2kqxgg9MRtSrI+b0YuqWwfpts3PgOhfs8IMk6aDbGOAAAKQTQAACAAAAA
--resolve cxbyte.me:443:146.59.92.173
Since I saw some notes about not doing DNSSEC validation locally, I'd
like to remind that this is no more than spinning up a local stub
resolver - we're not reimplementing DNSSEC validation :)
[1]: <https://github.com/alimpfard/curl/tree/dane>
[2]: <https://www.huque.com/dane/testsite/>
-- Cheers, ~ Ali Mohammad Pur -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-09-25