summaryrefslogtreecommitdiff
path: root/libdane
diff options
context:
space:
mode:
Diffstat (limited to 'libdane')
-rw-r--r--libdane/dane.c2
-rw-r--r--libdane/includes/gnutls/dane.h2
2 files changed, 3 insertions, 1 deletions
diff --git a/libdane/dane.c b/libdane/dane.c
index 30274d53f2..2d68cdd4a7 100644
--- a/libdane/dane.c
+++ b/libdane/dane.c
@@ -293,7 +293,7 @@ int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const cha
(*r)->data_entries = i;
- if (!(*r)->result->secure) {
+ if (!(s->flags & DANE_F_INSECURE) && !(*r)->result->secure) {
if ((*r)->result->bogus)
ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG);
else
diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h
index 027f28e57b..845e0766a7 100644
--- a/libdane/includes/gnutls/dane.h
+++ b/libdane/includes/gnutls/dane.h
@@ -95,12 +95,14 @@ typedef struct dane_query_st *dane_query_t;
/**
* dane_state_flags_t:
* @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs.
+ * @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors.
*
* Enumeration of different verification flags.
*/
typedef enum dane_state_flags_t
{
DANE_F_IGNORE_LOCAL_RESOLVER = 1,
+ DANE_F_INSECURE=2,
} dane_state_flags_t;
int dane_state_init (dane_state_t* s, unsigned int flags);
View Lorry Controller Status