[dns-operations] [dane] DNSSEC DANE testing
Paul Wouters
paul at cypherpunks.ca
Fri Oct 19 22:30:08 UTC 2012
On Sat, 20 Oct 2012, Mark Andrews wrote:
>> Somehow I can not follow your discussion.
>> What exactly do you mean by "added a bogus RRSIG record"?
>
> The A and SOA signatures were broken, not the TLSA.
>
>> If the DNSSEC signature on the TLSA record can _not_ be verified,
>> then the Browser MUST NOT flag the Server as being DANE-verified.
>
> It could be verified.
Of course, in my case, I could not reach the server because my DNSSEC
capable resolver could not get a proper A record. When going "insecure",
I could reach it, but then it flags red because _you_ are not using a
DNSSEC resolver, and it does mistakenly claim "domainname is secured
by DNSSEC", which with a broken A record is not the case.
I'll work on fixing this.
Paul
More information about the dns-operations
mailing list