summaryrefslogtreecommitdiff
path: root/libdane
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@gnutls.org>2013-02-24 12:18:31 +0100
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2013-02-24 12:18:31 +0100
commitd52eacc4513d8abe8d6a554fc52e4240b1802d48 (patch)
tree457db9667516afce37f0614281b0a610519085fa /libdane
parent6e96756cef4c3e2a720c8981f6b2efb8252a1226 (diff)
downloadgnutls-d52eacc4513d8abe8d6a554fc52e4240b1802d48.tar.gz
doc update
Diffstat (limited to 'libdane')
-rw-r--r--libdane/dane.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 2d68cdd4a7..b6a950f6cb 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -502,6 +502,9 @@ cleanup:
* If no information via DANE can be obtained the flag %DANE_VERIFY_NO_DANE_INFO
* is set. If a DNSSEC signature is not available for the DANE
* record then the verify flag %DANE_VERIFY_NO_DNSSEC_DATA is set.
+ *
+ * Note that the CA constraint only applies for the directly certifying CA
+ * and does not account for long CA chains.
*
* Due to the many possible options of DANE, there is no single threat
* model countered. When notifying the user about DANE verification results