[dns-operations] DNSSEC DANE testing

Paul Wouters paul at cypherpunks.ca
Wed Sep 12 20:44:12 UTC 2012

On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote:

> On 08/23/12 20:02, Paul Wouters wrote:
>> I put up the xpi as well, you can grab it at:
>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
> I like it.
> However, there might be room for improvent in the wording of the the
> messages.
> I deliberately broke the TLSA record (https://forfun.net/) and the
> message is (in green):
> "Domainname is secured by DNSSEC and the certificate is validated by CA."
> Both true, but as a paranoid user, I would have appreciated a little bit
> more information, like:
> "... but the certificate did not pass a DANE check"
> (or something similar)

It should do that. When I check your domain it tells me there is no TLSA
record, but I checked all name servers and it is there (and incorrect)

I'll add it on my TODO list :)


More information about the dns-operations mailing list