diff options
Diffstat (limited to 'libdane')
-rw-r--r-- | libdane/dane.c | 2 | ||||
-rw-r--r-- | libdane/includes/gnutls/dane.h | 2 |
2 files changed, 3 insertions, 1 deletions
diff --git a/libdane/dane.c b/libdane/dane.c index 30274d53f2..2d68cdd4a7 100644 --- a/libdane/dane.c +++ b/libdane/dane.c @@ -293,7 +293,7 @@ int dane_query_tlsa(dane_state_t s, dane_query_t *r, const char* host, const cha (*r)->data_entries = i; - if (!(*r)->result->secure) { + if (!(s->flags & DANE_F_INSECURE) && !(*r)->result->secure) { if ((*r)->result->bogus) ret = gnutls_assert_val(DANE_E_INVALID_DNSSEC_SIG); else diff --git a/libdane/includes/gnutls/dane.h b/libdane/includes/gnutls/dane.h index 027f28e57b..845e0766a7 100644 --- a/libdane/includes/gnutls/dane.h +++ b/libdane/includes/gnutls/dane.h @@ -95,12 +95,14 @@ typedef struct dane_query_st *dane_query_t; /** * dane_state_flags_t: * @DANE_F_IGNORE_LOCAL_RESOLVER: Many systems are not DNSSEC-ready. In that case the local resolver is ignored, and a direct recursive resolve occurs. + * @DANE_F_INSECURE: Ignore any DNSSEC signature verification errors. * * Enumeration of different verification flags. */ typedef enum dane_state_flags_t { DANE_F_IGNORE_LOCAL_RESOLVER = 1, + DANE_F_INSECURE=2, } dane_state_flags_t; int dane_state_init (dane_state_t* s, unsigned int flags); |