|
return tlsa.certUsage == TLSA.CertUsage.domainIssuedCertificate; |
So for exmaple for 1 1 1 this checks that the DANE part passes, but then returns false because DANE is necessary but not sufficient in that case. We can know DANE didn't specifically fail because no exception is raised, but if DNSSEC fails entirely also we get a return of false with no exception raised, so there is no way to tell these apart.
Suggestion: return an int code, 0 for fully verified success, 1 for DANE passed but there's more to do, and -1 for no DANE found or checked at all. Something like that.
minidns/minidns-dnssec/src/main/java/org/minidns/dane/DaneVerifier.java
Line 213 in 15a8da3
So for exmaple for
1 1 1this checks that the DANE part passes, but then returnsfalsebecause DANE is necessary but not sufficient in that case. We can know DANE didn't specifically fail because no exception is raised, but if DNSSEC fails entirely also we get a return offalsewith no exception raised, so there is no way to tell these apart.Suggestion: return an int code, 0 for fully verified success, 1 for DANE passed but there's more to do, and -1 for no DANE found or checked at all. Something like that.