On Wed, May 22, 2013 at 04:16:49PM +1000, Mike McCauley wrote:
> I have now added support for SSL_get_tlsa_record_byname() to
> Net::SSLeay. It is available in SVN.
The DANE support in OpenSSL has not stabilized yet, it may be
premature to add features to other products that depend on it.
For example, I think it that the OpenSSL library should NOT be
dynamically loading libunbound for DNSSEC TLSA lookups. Rather,
it should be using the platform resolver with the "DO" bit set
to get validated responses ("DO" bit set) from the local cache.
Only applications that want to do their own validation should use
libunbound or similar, and should do so by using their own choice
DNSSEC client library.
The control interface for passing this data back to OpenSSL may
also change, at least in so far as I believe it should return
errors when all TLSA RRs are malformed or unusable, ...
I think you should wait until there is an OpenSSL release with
documented interfaces for DANE before adding support for said
interfaces.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
