[dns-operations] [dane] DNSSEC DANE testing

Mark Andrews marka at isc.org
Thu Oct 18 21:56:05 UTC 2012 

In message <507FB355.4030908 at afnic.fr>, sandoche BALAKRICHENAN writes:
> Hi Paul,
> 
>         I have deliberately added a bogus RRSIG record to
> "https://dane-broken.rd.nic.fr". But the firefox add-on seems to
> successfully validate mentioning "the domain is secured by DNSSEC".
> 
> Sandoche.

Well the TLSA is secure.   As long as that matches the CERT returned it *is*
secured even if the RRSIG on the A RRset is broken.

; <<>> DiG 9.10.0pre-alpha <<>> _443._tcp.dane-broken.rd.nic.fr tlsa +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52053
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;_443._tcp.dane-broken.rd.nic.fr. IN	TLSA

;; ANSWER SECTION:
_443._tcp.dane-broken.rd.nic.fr. 1 IN	TLSA	3 0 1 6E013C54DF90D42D3C016E1AC9EB21E6DA45403D3A5AE9B2D8F21FC3 600D409C
_443._tcp.dane-broken.rd.nic.fr. 1 IN	RRSIG	TLSA 5 6 1 20130415134103 20121017134103 24975 dane-broken.rd.nic.fr. UFaeHhxVp8zy1tpcR049JqGEvNZrmDLkpgoo63v4gvEtwLp0KRbSBL5J vVlNnz8s5Uk68i8diY/zGt1epP72C2S6C3AUHKdYZiwvxBQwd34Sawna jZMjfAkXEH5z9cjkk1AVm0ReRPs9kbVc0iPDLcH+z21VJBZyFmloOflM EXU=

;; Query time: 838 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 19 08:49:24 2012
;; MSG SIZE  rcvd: 288


> On 09/12/2012 10:44 PM, Paul Wouters wrote:
> > On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote:
> >
> >> On 08/23/12 20:02, Paul Wouters wrote:
> >>
> >>> I put up the xpi as well, you can grab it at:
> >>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
> >>
> >> I like it.
> >>
> >> However, there might be room for improvent in the wording of the the
> >> messages.
> >>
> >> I deliberately broke the TLSA record (https://forfun.net/) and the
> >> message is (in green):
> >>
> >> "Domainname is secured by DNSSEC and the certificate is validated by
> >> CA."
> >>
> >> Both true, but as a paranoid user, I would have appreciated a little bit
> >> more information, like:
> >>
> >> "... but the certificate did not pass a DANE check"
> >>
> >> (or something similar)
> >
> > It should do that. When I check your domain it tells me there is no TLSA
> > record, but I checked all name servers and it is there (and incorrect)
> >
> > I'll add it on my TODO list :)
> >
> > Paul
> > _______________________________________________
> > dns-operations mailing list
> > dns-operations at lists.dns-oarc.net
> > https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> > dns-jobs mailing list
> > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> 
> _______________________________________________
> dane mailing list
> dane at ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list