[dns-operations] [dane] DNSSEC DANE testing
Mark Andrews
marka at isc.org
Thu Oct 18 22:52:06 UTC 2012
In message <D9E43306-6021-4A39-AC1F-D20AE545F0EA at kumari.net>, Warren Kumari wri
tes:
>
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <marka at isc.org> wrote:
>
> >=20
> > In message <507FB355.4030908 at afnic.fr>, sandoche BALAKRICHENAN writes:
> >> Hi Paul,
> >>=20
> >> I have deliberately added a bogus RRSIG record to
> >> "https://dane-broken.rd.nic.fr". But the firefox add-on seems to
> >> successfully validate mentioning "the domain is secured by DNSSEC".
> >>=20
> >> Sandoche.
> >=20
> > Well the TLSA is secure. As long as that matches the CERT returned =
> it *is*
> > secured even if the RRSIG on the A RRset is broken.
>
> Ooooh=85 This is an interesting case (which I personally hadn't =
> considered)...=20
>
> This all makes sense, but "feels" odd=85 Not proposing that we do =
> anything, but it did make me blink=85.
It also helps w/ DNS64. You don't need to care if the AAAA lookups
are forged or not for https connections as long as you get to a
server which presents the correct certificate and passes the
handshake. You do need to care for http connection.
Mark
> W
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list