[dns-operations] [dane] DNSSEC DANE testing

Fri Oct 19 10:08:23 UTC 2012

On 18 October 2012 23:43, Warren Kumari <warren at kumari.net> wrote:
>
> On Oct 18, 2012, at 5:56 PM, Mark Andrews <marka at isc.org> wrote:
>
>>
>> In message <507FB355.4030908 at afnic.fr>, sandoche BALAKRICHENAN writes:
>>> Hi Paul,
>>>
>>>        I have deliberately added a bogus RRSIG record to
>>> "https://dane-broken.rd.nic.fr". But the firefox add-on seems to
>>> successfully validate mentioning "the domain is secured by DNSSEC".
>>>
>>> Sandoche.
>>
>> Well the TLSA is secure.   As long as that matches the CERT returned it *is*
>> secured even if the RRSIG on the A RRset is broken.
>
> Ooooh… This is an interesting case (which I personally hadn't considered)...
>
> This all makes sense, but "feels" odd… Not proposing that we do anything, but it did make me blink….

Feels right to me - who cares what the address is if they have the right cert?

>
> W
>
>
>
>>
>> ; <<>> DiG 9.10.0pre-alpha <<>> _443._tcp.dane-broken.rd.nic.fr tlsa +dnssec
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52053
>> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>> ;; QUESTION SECTION:
>> ;_443._tcp.dane-broken.rd.nic.fr. IN  TLSA
>>
>> ;; ANSWER SECTION:
>> _443._tcp.dane-broken.rd.nic.fr. 1 IN TLSA    3 0 1 6E013C54DF90D42D3C016E1AC9EB21E6DA45403D3A5AE9B2D8F21FC3 600D409C
>> _443._tcp.dane-broken.rd.nic.fr. 1 IN RRSIG   TLSA 5 6 1 20130415134103 20121017134103 24975 dane-broken.rd.nic.fr. UFaeHhxVp8zy1tpcR049JqGEvNZrmDLkpgoo63v4gvEtwLp0KRbSBL5J vVlNnz8s5Uk68i8diY/zGt1epP72C2S6C3AUHKdYZiwvxBQwd34Sawna jZMjfAkXEH5z9cjkk1AVm0ReRPs9kbVc0iPDLcH+z21VJBZyFmloOflM EXU=
>>
>> ;; Query time: 838 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Fri Oct 19 08:49:24 2012
>> ;; MSG SIZE  rcvd: 288
>>
>>
>>> On 09/12/2012 10:44 PM, Paul Wouters wrote:
>>>> On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote:
>>>>
>>>>> On 08/23/12 20:02, Paul Wouters wrote:
>>>>>
>>>>>> I put up the xpi as well, you can grab it at:
>>>>>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
>>>>>
>>>>> I like it.
>>>>>
>>>>> However, there might be room for improvent in the wording of the the
>>>>> messages.
>>>>>
>>>>> I deliberately broke the TLSA record (https://forfun.net/) and the
>>>>> message is (in green):
>>>>>
>>>>> "Domainname is secured by DNSSEC and the certificate is validated by
>>>>> CA."
>>>>>
>>>>> Both true, but as a paranoid user, I would have appreciated a little bit
>>>>> more information, like:
>>>>>
>>>>> "... but the certificate did not pass a DANE check"
>>>>>
>>>>> (or something similar)
>>>>
>>>> It should do that. When I check your domain it tells me there is no TLSA
>>>> record, but I checked all name servers and it is there (and incorrect)
>>>>
>>>> I'll add it on my TODO list :)
>>>>
>>>> Paul
>>>> _______________________________________________
>>>> dns-operations mailing list
>>>> dns-operations at lists.dns-oarc.net
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>> dns-jobs mailing list
>>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
>>>
>>> _______________________________________________
>>> dane mailing list
>>> dane at ietf.org
>>> https://www.ietf.org/mailman/listinfo/dane
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>> _______________________________________________
>> dane mailing list
>> dane at ietf.org
>> https://www.ietf.org/mailman/listinfo/dane
>>
>
> --
> After you'd known Christine for any length of time, you found yourself fighting a desire to look into her ear to see if you could spot daylight coming the other way.
>
>     -- (Terry Pratchett, Maskerade)
>
>
>
>
> _______________________________________________
> dane mailing list
> dane at ietf.org
> https://www.ietf.org/mailman/listinfo/dane