Always require DNSSEC.

2 files changed, 6 insertions, 12 deletions

diff --git a/libdane/dane.c b/libdane/dane.c
index f3d28341e3..6f9a2db4cd 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -240,13 +240,11 @@ int dane_query_resolve_tlsa(dane_query_t q, const char* host, const char* proto,
 	
 	q->data_entries = i;
 
-	if (q->flags & DANE_F_REQUIRE_DNSSEC) {
-		if (!q->result->secure) {
-			if (q->result->bogus)
-				ret = DANE_E_INVALID_DNSSEC_SIG;
-			else
-				ret = DANE_E_NO_DNSSEC_SIG;
-		}
+	if (!q->result->secure) {
+		if (q->result->bogus)
+			ret = DANE_E_INVALID_DNSSEC_SIG;
+		else
+			ret = DANE_E_NO_DNSSEC_SIG;
 	}
 
 	/* show security status */
@@ -446,9 +444,6 @@ cleanup:
  * is set. If a DNSSEC signature is not available for the DANE 
  * record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
  * 
- * Note that when verifying untrusted certificates, it is recommended to 
- * use the %DANE_F_REQUIRE_DNSSEC flag.
- * 
  * Due to the many possible options of DANE, there is no single threat
  * model countered. When notifying the user about DANE verification results
  * it may be better to mention: DANE verification did not reject the certificate,
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index fbe9b89883..9a3a5e8c43 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -130,8 +130,7 @@ typedef enum dane_verify_status_t
  */
 typedef enum dane_verify_flags_t 
 {
-  DANE_F_REQUIRE_DNSSEC = 1,
-  DANE_F_IGNORE_LOCAL_RESOLVER = 1<<2,
+  DANE_F_IGNORE_LOCAL_RESOLVER = 1,
 } dane_verify_flags_t;
 
 int dane_verify_crt (