[dns-operations] DNSSEC DANE testing

Vernon Schryver vjs at rhyolite.com
Fri Aug 24 04:06:10 UTC 2012

> From: Paul Wouters <paul at cypherpunks.ca>

> >> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
> >
> > I see no queries for TLSA records for nohats.ca, fedoraproject.org,
> > or dane.rd.nic.fr from Firefox after installing the xpi file on
> > FreeBSD 9.0, Windows 7, Centos 2.6.32, or Ubuntu 11.10.
> I'll remake and re-release a 0.8 to ensure the version is the latest
> one and will get back to the list.

The previous announcement I saw said something about "Linux", but
didn't specify the flavor.  Which brand and version of Linux will be
needed for the future xpi file?  If any non-standard libraries are
needed, what are their full names and versions and where should they
be sought?

> > is saying SERVFAIL about nohats.ca unless I set the CD bit.
> Yes, once again opendnssec and nsd interacted badly, and nsd's pid bug
> caused nsdc to not be able to reload nsd, which caused expired RRSIGs
> until I manually killed nsd and restarted it.

Nohats.ca now looks much better from here.  I assume it's irrelevant
that one of the NS servers for nohats.ca, alpha.bebout.net still
refuses to answer requests about nohats.ca.

> > I hope I misunderstand, because that sounds to me like the error that
> > was in the Chrome support for its notion of a predecessor to TLSA.

> You misunderstand. Purple means "DNSSEC validated the hostname AND there
> was a TLSA record, which was also DNSSEC validated and matched the
> found TLS certificate". 

Ok, my mistake.

> I do not know how browsers will treat the CA industry and EV certs in
> the future. My opinion will not carry any weight there.

I trust browser vendors will follow the clear language in RFC 6698.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list