[dns-operations] DNSSEC DANE testing

Paul Wouters paul at cypherpunks.ca
Thu Aug 23 18:02:13 UTC 2012 

On Thu, 23 Aug 2012, sandoche BALAKRICHENAN wrote:

> dpkg on the Ubuntu system.
> Firefox whined that the add-on is corrupt and claimed to have refused
> to install it, but installed something that says it is "DNSSEC/TLSA
> Validator 0.7".

I put up the xpi as well, you can grab it at:

http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi

> After giving it the IP address of my resolver, I
> watched the resolver log for requests for TLSA qtypes and _tcp qnames
> as I looked at https://fedoraproject.org   I see only A and AAAA requests
> for fedoraproject.org

I am also seeing issues with fedoraproject.org and the plugin. I'm still investigating.
It might be because of various geo locations and CNAMEs. The proper records are in
the zone when I use dig:

[paul at bofh paul]$ dig +dnssec tlsa _443._tcp.fedoraproject.org

; <<>> DiG 9.9.1-P2-RedHat-9.9.1-5.P2.fc17 <<>> +dnssec tlsa
_443._tcp.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34071
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_443._tcp.fedoraproject.org.	IN	TLSA

;; ANSWER SECTION:
_443._tcp.fedoraproject.org. 300 IN	TLSA	3 0 1 F4BF2EAD76DA47E2EB64D6BD80335B276574E8E62617908D4917F19E 75920F22
_443._tcp.fedoraproject.org. 300 IN	RRSIG	TLSA 5 4 300 20120920213847 20120821213847 7725 fedoraproject.org.  CP/7Wy+WE6t1B89c5NMB7moMB1J1dn4SEz5YbPAcLdtglUpGDjzczdMx 9sN0K6obkB4ljjQhlI8Vclrde7oraw0PAn7fJWfTUyupZ6NT7cTklBlE fc8KwlrfugN+wKu4D+Vg0rBZHp3yH/01obYkKFfyF8oyKPsJSa0nYiVG wbM=

Note that both nohats.ca and fedoraproject.org depend on DLV. Where as
dane.rd.nic.fr does not. Btw, is that record going to remain there for
the next week? It will be a good demo address for my presentation at
Linux Security Summit :)

> ==> I installed the updated version of os3sec by Paul Wouters and tested for the link "https://dane.rd.nic.fr" which has TLSA RR's in its zone. I
> can see the queries for TLSA types. Please see the snapshot of wireshark.
> 
> While you click on the lock symbol in the link https://dane.rd.nic.fr you can see the comment "Domain name is secured by DNSSEC and the
> certificate is validated by DNSSEC". Does this mean TLSA Validation is done ?

No. It just meant the DNS lookups were secured by DNSSEC. You should see this:

https://nohats.ca/dane.rd.nic.fr.png

stating: "Domainname is secured by DNSSEC, and TLS proved the certificate
is valid (and no CA)" Obviously, if you have a signed cert by a trusted
CA, it will tell you that instead. Note TLSA validation is marked with
purple.  (both https://nohats.ca and https://dane.rd.nic.fr work for me)

> I have a question for Paul. In the preferences section for the add-on i specified the IP address of a resolver. But from the wireshark snapshot i
> can see the browser has accessed my default resolver. Is this a bug ?

Probably. There a few bugs still present. Caching is also problematic,
and when you have dns outages (eg hotspots) then firefox will be
freezing for many seconds trying to recover. It's a proof of concept,
I'm hoping the mozilla people will implement it natively soon. Doing
libunbound calls using pointers in javascript, is well, the worst of
both worlds.

I have that setting left blanc, but I do run a local unbound with
resolv.conf pointing to localhost.

Paul

More information about the dns-operations mailing list