<div dir="ltr"><div class="gmail_default" style="font-family:courier new,monospace">Thanks Brad and Cristian for confirming. If I understand correctly, as of now there is no plan to add DNSSEC in C-ares in future too.</div><div class="gmail_default" style="font-family:courier new,monospace"><br clear="all"></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span style="font-family:courier new,monospace">Regards</span><br style="font-family:courier new,monospace"><span style="font-family:courier new,monospace">Anant</span><br></div></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 14 Jan 2022 at 03:26, Cristian Rodríguez <<a href="mailto:crrodriguez@opensuse.org">crrodriguez@opensuse.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">DNSSEC has abysmal adoption rate.. adding more and more code to deal<br>
with it is not going to get it better, in fact will add more bugs and<br>
quirks to be aware of.<br>
<br>
it is better that you let your dns server do the job for you.<br>
<br>
<br>
On Thu, Jan 13, 2022 at 2:45 PM Anant via c-ares <<a href="mailto:c-ares@lists.haxx.se" target="_blank">c-ares@lists.haxx.se</a>> wrote:<br>
><br>
> Thanks Brad! appreciate the quick response.<br>
><br>
> Our query was in the context of a "Security-Aware Resolver" using C-ares. We were wondering if something similar to what "bind" provides is there in C-ares too.<br>
><br>
> I see that there are some relevant changes in ares_nameser.h but do not see anything relevant while creating queries/parsing answers.<br>
><br>
> Is C-ares not intended to be used by "Security-Aware Resolvers"?<br>
><br>
> Regards<br>
> Anant<br>
><br>
><br>
> On Thu, 13 Jan 2022 at 22:07, Brad House via c-ares <<a href="mailto:c-ares@lists.haxx.se" target="_blank">c-ares@lists.haxx.se</a>> wrote:<br>
>><br>
>> DNSSEC verification is the responsibility of the DNS server, and not of the client side. The DNS server the client connects to performs the actual recursive lookups and performs the DNSSEC validation, so yes, you need to make sure the DNS server you are using is trusted.<br>
>><br>
>> On 1/13/22 8:11 AM, Anant via c-ares wrote:<br>
>><br>
>> Hi,<br>
>><br>
>> Do we have support for DNSSEC in 1.18.1?<br>
>><br>
>> I am exploring the src and see that there are some relevant changes in header files but I do not see that in query and answer handling.<br>
>> Regards<br>
>> Anant<br>
>><br>
>><br>
>> --<br>
>> c-ares mailing list<br>
>> <a href="mailto:c-ares@lists.haxx.se" target="_blank">c-ares@lists.haxx.se</a><br>
>> <a href="https://lists.haxx.se/listinfo/c-ares" rel="noreferrer" target="_blank">https://lists.haxx.se/listinfo/c-ares</a><br>
><br>
> --<br>
> c-ares mailing list<br>
> <a href="mailto:c-ares@lists.haxx.se" target="_blank">c-ares@lists.haxx.se</a><br>
> <a href="https://lists.haxx.se/listinfo/c-ares" rel="noreferrer" target="_blank">https://lists.haxx.se/listinfo/c-ares</a><br>
</blockquote></div>