On Wed, Feb 26, 2014 at 06:14:09PM +0000, Tony Finch wrote: > > As for setting the "AD" bit in the request automatically, it probably > > should still require an explicit indication of interest from the > > application or be set via a default option value /etc/resolv.conf. > > Perhaps, though I think the AD flag is pretty benign.
I think it requires EDNS0, but if that is already set, perhaps turning on AD by default is harmless. This specific detail is perhaps more of a "dnsop" than "dane" question. By the way I just noticed that http://www.vpnc.org/getdns-api/ does not define the interaction of DNSSEC with: getdns_return_t getdns_context_set_append_name( getdns_context *context, getdns_append_name_t value ); Specifies whether to append a suffix to the query string before the API starts resolving a name. The value is GETDNS_APPEND_NAME_ALWAYS, GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE, GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE, or GETDNS_APPEND_NAME_NEVER. This controls whether or not to append the suffix given by getdns_context_set_suffix Name appending breaks DNSSEC when any of the resulting zones are insecure and are tried before ultimately secure zones. The validity of a request for a secure response for an under-specified query is IMHO questionable. -- Viktor. _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
