Martin Rex <[email protected]> writes: >Are there already workable procedures and APIs for software to distinguish >"normal" DNSSEC lookup results from "trustworthy" DNSSEC lookup results with >some level of portability?
If you mean "is there a way to say 'I don't care about authentication, just gimme an address, dammit'", i.e. a getaddrinfo_unauthenticated(), then no, this was explicitly excluded from the DNSSEC work with a let-them-eat-cake argument that if anyone cared about this then they could just hack around at the res_query() level themselves. Note that this is just for basic DNS vs. DNSSEC lookups, given that you can't even do that I doubt there's any way to do vanilla DNSSEC vs. EV-cert-equivalent DNSSEC. Peter. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
