On Mon, 1 Sep 2025, Ali Mohammad Pur Fard via curl-library wrote:
Thanks for your interest and willingness to help improving curl!
Since DANE/TLSA has become much more common as a replacement for PKI
This is surprising to me. What data are you basing this statement on and what PKI do you speak of here? The popular browsers don't support DANE, so deploying it for the web seems like a lot of work for a rather small audience.
In particular, I'm mostly interested in having libcurl expose a way for users to provide (or request the use of) a set of TLSA records, or somehow communicate that DANE should be used for the connection (as I'm trying to have DANE be a native alternative to PKI in Ladybird[1]). The request side of this is reasonably straightforward with openssl, at least.
We added "Support DANE" to the TODO document already in August 2012. I think it would be cool to get support in and I know there is at least some interest "out there".
We once had an attempt and I recall that we then had some challenges on getting the DNSSEC stuff done correctly with the all the keys etc to verify that the records we get are legitimate for the domain.
I do have a patchset[2] that implements this as a proof of concept
Maybe you can start easy by explaining the libcurl API you have envisioned for this, and what actions that would trigger?
It looks like you use c-ares for the DNS record fiddling, right? -- / daniel.haxx.se || https://rock-solid.curl.dev -- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
