On Mon, 8 Sep 2025, Timothe Litt via curl-library wrote:
Implementing DNSSEC validation in an application is discouraged in 3655.
It's analogous to implementing TCP over UDP in the application because you
don't trust the kernel's TCP stack...
I beg to differ. That's a completely different matter.
If curl doesn't verify the responses itself, how can a user be *sure* the DANE
cert they are going to use is the right one?
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
