0. The TLSA lookup function does not check the "bogus" field,
which is
documented as possibly set together with "secure", indicating a bogus
DNS reply (unbound still returns the data it seems) and lets the
caller
decide. So the new TLSA lookup function is not safe.
OK.
Or? Manual page says if both are zero, then no security for domain. It
says nothing about both being set to 1. And example at unbound.net
suggests that they can't be set together:
if(result->secure)
printf("Result is secure\n");
else if(result->bogus)
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
