[dns-operations] DNSSEC DANE testing
Vernon Schryver
vjs at rhyolite.com
Tue Jul 31 16:41:08 UTC 2012
> From: Paul Wouters <paul at cypherpunks.ca>
> An unfinished but working hacked os3sec/niccz firefox plugin, which
> I only tested on Linux:
>
> http://people.redhat.com/pwouters/mozilla-extval-0.7-2.fc16.noarch.rpm
> (http://people.redhat.com/pwouters/mozilla-extval-0.7-2.fc16.src.rpm)
>
> TLSA records are published for fedoraproject.org and nohats.ca.
After several hours fiddling around with Centos and Ubuntu, I got
mozilla-extval-0.7-2.fc16.noarch.rpm converted and installed with
dpkg on the Ubuntu system.
Firefox whined that the add-on is corrupt and claimed to have refused
to install it, but installed something that says it is "DNSSEC/TLSA
Validator 0.7". After giving it the IP address of my resolver, I
watched the resolver log for requests for TLSA qtypes and _tcp qnames
as I looked at https://fedoraproject.org I see only A and AAAA requests
for fedoraproject.org
There were no error messages from dpkg, but I wonder about libldns
and unbound libraries. After installing the unbound libraries
on a Centos system to try to install extval, my attempt to install
extval was stymied for lack of libldns. I didn't look all that
hard for libldns before going back to Ubuntu.
It's probably something that I'm doing wrong.
Thanks anyway and no offense intended. Even if I could make it
work, a browser add-on wouldn't get me toward my real goal of a
little security for my web pages without paying for the pretense
of commercial pkix security.
Vernon Schryver vjs at rhyolite.com
More information about the dns-operations
mailing list