[dns-operations] DNSSEC DANE testing

Vernon Schryver vjs at rhyolite.com
Tue Jul 31 02:01:46 UTC 2012

> From: Tony Finch <dot at dotat.at>

> > Is there something somewhere (preferably a browser) that can check
> > (preferably use to make a TLS connection) TLSA records ?
> A few implementations I found...

thanks for your list and your effort,

> https://github.com/pieterlexis/swede

I knew about Swede, but it seems to require some strange (to me) Python
bits and perhaps unbound (instead of BIND), besides not being anything
like a browser.  Perhaps I should also mention that Debian or Ubuntu
would not be be my 1st or 2nd preference for a test system.

> https://github.com/kirei/openssl-dane

I didn't know about that one, but it's also nothing like a browser.
I could pipe dig output through some filters to openssl and so convince
myself that my delusions about DANE are consistent.  That wouldn't
give the warm feeling of a browser not whining about my certs.

> https://mattmccutchen.net/cryptid/index.html

I also didn't know about that one.  Its README.dane makes it sound
like Swede but more so.

> https://os3sec.org/

I tried that one last week but was unable to get it to do anything
besides kill Firefox.  Comments on the Firefox Add-Ons page suggest
that my personal problems are not unique.

> http://git.kirya.net/?p=debian/sshfp.git

I looked at that one last week.  It seemed like Swede but more so...or
perhaps less.  Once I stopped assuming that it is archane and hard,
it seems easy to generate IETF TLSA records with `openssl x509` and
filters like `od` and `awk` from existing certs.

> You might get some more answers on the dane at ietf.org list.

I was hoping to avoid asking the IETF for reasons that were stale 10
years ago.  I had already looked through those archives without
finding anything but the Chrome mechanism.

I was hoping for something like the Chrome mechanism but for RRs that
someone other than Google would use.  I've poked at current and canary
Chrome on a Windows 7 box.  According to my resolver logs, it asked
once, days ago for that experimental RR for that special domain.  Since
them I've been unable to get it to ask for that domain again, even
with all the restarting and cache flushing that I (don't really)
understand in Chrome.  I've been unable to get it to ask for the
experimental type and equivalent derived query names for my domains
or even any DNSSKEY RRs; according to tcpdump and BIND debug logging, it
only gets As and AAAAs and whines about my certs.

I'll look more closely at your list and eventually pick one to do a
not quite, before-pre-smoke test of my RRs on a Linux test box.
It looks as if I'll be ahead of pack as long as I do that in the next
3 or 4 years.
I'm very disappointed.  It seems that despite years of talk, DANE is
not ready for discussion in the trade press blogs, not to mention prime
time.  Given the lack of readiness or antipathy of registrars for basic
DNSSEC, I probably shouldn't be surprised.

DNSSEC and DANE are beginning to seem less substantial than the vaporware
from the ISO OSI protocol gurus 25 years ago.

thanks again for your list and your effort,

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list