[dns-operations] DNSSEC DANE testing
sandoche BALAKRICHENAN
sandoche.balakrichenan at afnic.fr
Thu Oct 18 07:44:21 UTC 2012
Hi Paul,
I have deliberately added a bogus RRSIG record to
"https://dane-broken.rd.nic.fr". But the firefox add-on seems to
successfully validate mentioning "the domain is secured by DNSSEC".
Sandoche.
On 09/12/2012 10:44 PM, Paul Wouters wrote:
> On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote:
>
>> On 08/23/12 20:02, Paul Wouters wrote:
>>
>>> I put up the xpi as well, you can grab it at:
>>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
>>
>> I like it.
>>
>> However, there might be room for improvent in the wording of the the
>> messages.
>>
>> I deliberately broke the TLSA record (https://forfun.net/) and the
>> message is (in green):
>>
>> "Domainname is secured by DNSSEC and the certificate is validated by
>> CA."
>>
>> Both true, but as a paranoid user, I would have appreciated a little bit
>> more information, like:
>>
>> "... but the certificate did not pass a DANE check"
>>
>> (or something similar)
>
> It should do that. When I check your domain it tells me there is no TLSA
> record, but I checked all name servers and it is there (and incorrect)
>
> I'll add it on my TODO list :)
>
> Paul
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
More information about the dns-operations
mailing list