[dns-operations] DNSSEC DANE testing

sandoche BALAKRICHENAN sandoche.balakrichenan at afnic.fr
Thu Aug 23 13:28:00 UTC 2012


On 08/23/2012 12:10 PM, sandoche BALAKRICHENAN wrote:
>
>> After several hours fiddling around with Centos and Ubuntu, I got
>> mozilla-extval-0.7-2.fc16.noarch.rpm converted and installed with
>> dpkg on the Ubuntu system.
>> Firefox whined that the add-on is corrupt and claimed to have refused
>> to install it, but installed something that says it is "DNSSEC/TLSA
>> Validator 0.7".  After giving it the IP address of my resolver, I
>> watched the resolver log for requests for TLSA qtypes and _tcp qnames
>> as I looked at https://fedoraproject.org   I see only A and AAAA requests
>> for fedoraproject.org
>>
>
==> I installed the updated version of os3sec by Paul Wouters and tested
for the link "https://dane.rd.nic.fr" which has TLSA RR's in its zone. I
can see the queries for TLSA types. Please see the snapshot of wireshark.

While you click on the lock symbol in the link https://dane.rd.nic.fr
you can see the comment "Domain name is secured by DNSSEC and the
certificate is validated by DNSSEC". Does this mean TLSA Validation is
done ?

I have a question for Paul. In the preferences section for the add-on i
specified the IP address of a resolver. But from the wireshark snapshot
i can see the browser has accessed my default resolver. Is this a bug ?


Thanks,
Sandoche.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120823/7d1700f2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: DANE-WIRESHARK.png
Type: image/png
Size: 218559 bytes
Desc: not available
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20120823/7d1700f2/attachment.png>


More information about the dns-operations mailing list