Hey everyone!
I've put together a (basic) implementation of what I think DANE support
should look like [1],
for simplicity, here's the "general" set of requirements I gathered from
this thread:
- DANE validation itself (`--dane`)
- An upstream resolver that may or may not be trusted
(`--{trusted-}upstream-dns`)
- If the upstream is not trusted, curl should be able to do its own
DNSSEC validation (via unbound here, since I'm more familiar with that)
- Library user should be able to just hand curl the records, if it
trusts the validity (my requirement, `CURLOPT_ADD_DNS_RR`)
Should be reasonably easy to build, I've been using the following to
test it:
- should fail validation, excellent test suite in general [2]:
curl -vv --dane --upstream-dns 8.8.8.8 https://badhash.dane.huque.com/
- should pass, my personal web page:
curl -vv --dane https://cxbyte.me --add-dns-rr
AACBoAABAAIAAAABBmN4Ynl0ZQJtZQAAAQABwAwAAQABAAABGAAEkjtcrcAMAC4AAQAAARgAXQABDQIAAAEsaMmYTmjG2S6GyQZjeGJ5dGUCbWUA88TCNXPd4zVdaAVXfPTQelw1WHeLkH92ZUcrEUoR2Zm2kqxgg9MRtSrI+b0YuqWwfpts3PgOhfs8IMk6aDbGOAAAKQTQAACAAAAA
--resolve cxbyte.me:443:146.59.92.173
Since I saw some notes about not doing DNSSEC validation locally, I'd
like to remind that this is no more than spinning up a local stub
resolver - we're not reimplementing DNSSEC validation :)
[1]: <https://github.com/alimpfard/curl/tree/dane>
[2]: <https://www.huque.com/dane/testsite/>
--
Cheers,
~ Ali Mohammad Pur
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
