On 9/11/25 04:47, Daniel Stenberg via curl-library wrote: > On Mon, 8 Sep 2025, Timothe Litt via curl-library wrote: > >> Implementing DNSSEC validation in an application is discouraged in 3655. >> >> It's analogous to implementing TCP over UDP in the application because you >> don't trust the kernel's TCP stack... > > I beg to differ. That's a completely different matter. > > If curl doesn't verify the responses itself, how can a user be *sure* the > DANE > cert they are going to use is the right one? systemd-resolved provides a D-Bus API that validates DNSSEC and explicitly states if the data was authenticated or not. Windows and macOS might have similar APIs, though I am not familiar enough with either platform to say. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
Description: OpenPGP digital signature-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html
