One of the goals for Firefox 6 is to allow extensions to augment the certificate chain validity checking we do, to support things like DNSSEC-based key/cert locking like DANE. See https://bugzilla.mozilla.org/show_bug.cgi?id=644640. To get good performance, some of these extensions will need to kick off their DNS(SEC) requests at the same time (or just after) we do our own DNS requests. To be clear, the point of this bug isn't to expose the DNS resolver to extensions; most of these extensions will be using their own built-in DNSSEC-validating DNS resolver.
Note that we need to call the extensions even in the event we are using cached DNS information, as (a) the extensions might not be getting data (exclusively) from DNS, and (b) the extension might have different freshness requirements than we have for A/AAAA records for the data they look up.
If possible, it'd be nice to know the address of the local resolver. If you're going to ping me on cached data, that's fine, just let me know the request came in from a cached request. This is entirely an optimization, so I can grab the trust data as soon as possible.
extensions can wrap the gecko nsIDNSService - passing through the query and starting their own processing in parallel
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.