In message <200811140742.mAE7gJNn062219@xxxxxxxxxxxxxxxx>, Mark Andrews writes: > > In message <alpine.LRH.2.00.0811140934240.9364@xxxxxxxxxx>, Pekka Savola write > s: > > On Fri, 14 Nov 2008, Mark Andrews wrote: > > >> How does an application do "accept if signed and validated by DNSSEC"? > > > > > > You validate the CERT RRset using the techniques in RFC > > > 4033, 4034 and 4035. If the answer is "secure" then it was > > > signed and validated. You the match offered cert to the CERT > > > RRs using the information from RFC 4398. > > > > > > Do you need more detail or is that enough guidance? > > > > I was interested in more detail, specifically, are there application > > interfaces an application could use, or every app need to implement > > validation using 4033-5 techniques (a lot of work, and most would > > probably do it wrong)? > > There are a number of libraries available which can do > dnssec validation. And if you want to off load the validation you can used AD + TSIG. > Mark > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx > _______________________________________________ > Ietf mailing list > Ietf@xxxxxxxx > https://www.ietf.org/mailman/listinfo/ietf -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@xxxxxxx _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf