q->data_entries = i;
- if (q->flags & DANE_F_REQUIRE_DNSSEC) {
- if (!q->result->secure) {
- if (q->result->bogus)
- ret = DANE_E_INVALID_DNSSEC_SIG;
- else
- ret = DANE_E_NO_DNSSEC_SIG;
- }
+ if (!q->result->secure) {
+ if (q->result->bogus)
+ ret = DANE_E_INVALID_DNSSEC_SIG;
+ else
+ ret = DANE_E_NO_DNSSEC_SIG;
}
/* show security status */
* is set. If a DNSSEC signature is not available for the DANE
* record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
*
- * Note that when verifying untrusted certificates, it is recommended to
- * use the %DANE_F_REQUIRE_DNSSEC flag.
- *
* Due to the many possible options of DANE, there is no single threat
* model countered. When notifying the user about DANE verification results
* it may be better to mention: DANE verification did not reject the certificate,
*/
typedef enum dane_verify_flags_t
{
- DANE_F_REQUIRE_DNSSEC = 1,
- DANE_F_IGNORE_LOCAL_RESOLVER = 1<<2,
+ DANE_F_IGNORE_LOCAL_RESOLVER = 1,
} dane_verify_flags_t;
int dane_verify_crt (