[dns-operations] [dane] DNSSEC DANE testing
Mark Andrews
marka at isc.org
Fri Oct 19 13:00:39 UTC 2012
In message <20121019105938.98D621A2E1 at ld9781.wdf.sap.corp>, Martin Rex writes:
> Warren Kumari wrote:
> >
> > Mark Andrews <marka at isc.org> wrote:
> >>
> >> sandoche BALAKRICHENAN writes:
> >>> Hi Paul,
> >>>
> >>> I have deliberately added a bogus RRSIG record to
> >>> "https://dane-broken.rd.nic.fr". But the firefox add-on seems to
> >>> successfully validate mentioning "the domain is secured by DNSSEC".
> >>>
> >>> Sandoche.
> >>
> >> Well the TLSA is secure. As long as that matches the CERT returned it *i
> s*
> >> secured even if the RRSIG on the A RRset is broken.
> >
> > Ooooh? This is an interesting case (which I personally hadn't considered)..
> .
> >
> > This all makes sense, but "feels" odd? Not proposing that we do
> > anything, but it did make me blink?.
>
>
> Somehow I can not follow your discussion.
> What exactly do you mean by "added a bogus RRSIG record"?
The A and SOA signatures were broken, not the TLSA.
> If the DNSSEC signature on the TLSA record can _not_ be verified,
> then the Browser MUST NOT flag the Server as being DANE-verified.
It could be verified.
> When the server cert has been issued from a public CA, and the
> zone is either without DNSSEC or verifiably without TLSA record
> for the server, then the browser is doing a regular TLS handshake
> and traditional (rfc2818 section 3.1) server endpoint identification.
>
> Certs from private CAs or self-signed certs must continue to
> result in the scary-page.
>
> -Martin
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list