[dns-operations] [dane] DNSSEC DANE testing

Paul Wouters paul at cypherpunks.ca
Fri Oct 19 22:30:08 UTC 2012

On Sat, 20 Oct 2012, Mark Andrews wrote:

>> Somehow I can not follow your discussion.
>> What exactly do you mean by "added a bogus RRSIG record"?
> The A and SOA signatures were broken, not the TLSA.
>> If the DNSSEC signature on the TLSA record can _not_ be verified,
>> then the Browser MUST NOT flag the Server as being DANE-verified.
> It could be verified.

Of course, in my case, I could not reach the server because my DNSSEC
capable resolver could not get a proper A record. When going "insecure",
I could reach it, but then it flags red because _you_ are not using a
DNSSEC resolver, and it does mistakenly claim "domainname is secured
by DNSSEC", which with a broken A record is not the case.

I'll work on fixing this.


More information about the dns-operations mailing list