[spec] Certificate trust

cas carsten at strotmann.de
Mon Mar 1 09:42:15 GMT 2021


> On 1. Mar 2021, at 10:26, Stephane Bortzmeyer <stephane at sources.org> wrote:
> On Sun, Feb 28, 2021 at 10:07:02PM -0500,
> Sean Conner <sean at conman.org> wrote 
> a message of 56 lines which said:
>> If you want *any* other type of DNS record, you are pretty much
>> forced to either use one of the horrible DNS resolving libraries or
>> roll your own.  I would tout my own DNS library [1], but it's in C
>> (and has a Lua wrapper for it).
> C programmers are lucky, there are two excellent free, documented,
> maintained and complete libraries to do DNS requests, ldns
> <https://www.nlnetlabs.nl/projects/ldns/> and getdns
> <https://getdnsapi.net/>.
> Python programmers have one, dnspython <https://www.dnspython.org/>.
> Other languages… it depends. Last time I checked for Elixir, it was
> not good.

No need to do manual/extra DNS queries to verify certificates via DANE.

GnuTLS has DANE validation build in

and OpenSSL has that as well



More information about the Gemini mailing list