[dns-operations] DNSSEC DANE testing
vjs at rhyolite.com
Fri Aug 24 04:06:10 UTC 2012
> From: Paul Wouters <paul at cypherpunks.ca>
> >> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
> > I see no queries for TLSA records for nohats.ca, fedoraproject.org,
> > or dane.rd.nic.fr from Firefox after installing the xpi file on
> > FreeBSD 9.0, Windows 7, Centos 2.6.32, or Ubuntu 11.10.
> I'll remake and re-release a 0.8 to ensure the version is the latest
> one and will get back to the list.
The previous announcement I saw said something about "Linux", but
didn't specify the flavor. Which brand and version of Linux will be
needed for the future xpi file? If any non-standard libraries are
needed, what are their full names and versions and where should they
> > is saying SERVFAIL about nohats.ca unless I set the CD bit.
> Yes, once again opendnssec and nsd interacted badly, and nsd's pid bug
> caused nsdc to not be able to reload nsd, which caused expired RRSIGs
> until I manually killed nsd and restarted it.
Nohats.ca now looks much better from here. I assume it's irrelevant
that one of the NS servers for nohats.ca, alpha.bebout.net still
refuses to answer requests about nohats.ca.
> > I hope I misunderstand, because that sounds to me like the error that
> > was in the Chrome support for its notion of a predecessor to TLSA.
> You misunderstand. Purple means "DNSSEC validated the hostname AND there
> was a TLSA record, which was also DNSSEC validated and matched the
> found TLS certificate".
Ok, my mistake.
> I do not know how browsers will treat the CA industry and EV certs in
> the future. My opinion will not carry any weight there.
I trust browser vendors will follow the clear language in RFC 6698.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations