[dns-operations] [dane] DNSSEC DANE testing

Mark Andrews marka at isc.org
Thu Oct 18 22:52:06 UTC 2012


In message <D9E43306-6021-4A39-AC1F-D20AE545F0EA at kumari.net>, Warren Kumari wri
tes:
> 
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <marka at isc.org> wrote:
> 
> >=20
> > In message <507FB355.4030908 at afnic.fr>, sandoche BALAKRICHENAN writes:
> >> Hi Paul,
> >>=20
> >>        I have deliberately added a bogus RRSIG record to
> >> "https://dane-broken.rd.nic.fr". But the firefox add-on seems to
> >> successfully validate mentioning "the domain is secured by DNSSEC".
> >>=20
> >> Sandoche.
> >=20
> > Well the TLSA is secure.   As long as that matches the CERT returned =
> it *is*
> > secured even if the RRSIG on the A RRset is broken.
> 
> Ooooh=85 This is an interesting case (which I personally hadn't =
> considered)...=20
> 
> This all makes sense, but "feels" odd=85 Not proposing that we do =
> anything, but it did make me blink=85.

It also helps w/ DNS64.  You don't need to care if the AAAA lookups
are forged or not for https connections as long as you get to a
server which presents the correct certificate and passes the
handshake.  You do need to care for http connection.

Mark
> W
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the dns-operations mailing list