[dns-operations] DNSSEC DANE testing

Vernon Schryver vjs at rhyolite.com
Tue Jul 31 16:41:08 UTC 2012

> From: Paul Wouters <paul at cypherpunks.ca>

> An unfinished but working hacked os3sec/niccz firefox plugin, which
> I only tested on Linux:
> http://people.redhat.com/pwouters/mozilla-extval-0.7-2.fc16.noarch.rpm
> (http://people.redhat.com/pwouters/mozilla-extval-0.7-2.fc16.src.rpm)
> TLSA records are published for fedoraproject.org and nohats.ca.

After several hours fiddling around with Centos and Ubuntu, I got
mozilla-extval-0.7-2.fc16.noarch.rpm converted and installed with
dpkg on the Ubuntu system.
Firefox whined that the add-on is corrupt and claimed to have refused
to install it, but installed something that says it is "DNSSEC/TLSA
Validator 0.7".  After giving it the IP address of my resolver, I
watched the resolver log for requests for TLSA qtypes and _tcp qnames
as I looked at https://fedoraproject.org   I see only A and AAAA requests
for fedoraproject.org
There were no error messages from dpkg, but I wonder about libldns
and unbound libraries.  After installing the unbound libraries
on a Centos system to try to install extval, my attempt to install
extval was stymied for lack of libldns.  I didn't look all that
hard for libldns before going back to Ubuntu.

It's probably something that I'm doing wrong.

Thanks anyway and no offense intended.  Even if I could make it
work, a browser add-on wouldn't get me toward my real goal of a
little security for my web pages without paying for the pretense
of commercial pkix security.

Vernon Schryver    vjs at rhyolite.com

More information about the dns-operations mailing list