APIs
How do we communicate security status from the verifying resolver to the application?
- draft-ietf-dnsext-ad-is-secure-06.txt is one step
- sometimes the AD-bit is not enough
- we need to do work
lwres from BIND 9 and some libc includes a getrrsetbyname(3) function
- uses the AD-bit to set security status
Real DNSSEC-aware resolver API needed