In message <alpine.LRH.2.00.0811140934240.9364@xxxxxxxxxx>, Pekka Savola writes: > On Fri, 14 Nov 2008, Mark Andrews wrote: > >> How does an application do "accept if signed and validated by DNSSEC"? > > > > You validate the CERT RRset using the techniques in RFC > > 4033, 4034 and 4035. If the answer is "secure" then it was > > signed and validated. You the match offered cert to the CERT > > RRs using the information from RFC 4398. > > > > Do you need more detail or is that enough guidance? > > I was interested in more detail, specifically, are there application > interfaces an application could use, or every app need to implement > validation using 4033-5 techniques (a lot of work, and most would > probably do it wrong)? There are a number of libraries available which can do dnssec validation. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf