In message <507fb355.4030...@afnic.fr>, sandoche BALAKRICHENAN writes: > Hi Paul, > > I have deliberately added a bogus RRSIG record to > "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to > successfully validate mentioning "the domain is secured by DNSSEC". > > Sandoche.
Well the TLSA is secure. As long as that matches the CERT returned it *is* secured even if the RRSIG on the A RRset is broken. ; <<>> DiG 9.10.0pre-alpha <<>> _443._tcp.dane-broken.rd.nic.fr tlsa +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52053 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_443._tcp.dane-broken.rd.nic.fr. IN TLSA ;; ANSWER SECTION: _443._tcp.dane-broken.rd.nic.fr. 1 IN TLSA 3 0 1 6E013C54DF90D42D3C016E1AC9EB21E6DA45403D3A5AE9B2D8F21FC3 600D409C _443._tcp.dane-broken.rd.nic.fr. 1 IN RRSIG TLSA 5 6 1 20130415134103 20121017134103 24975 dane-broken.rd.nic.fr. UFaeHhxVp8zy1tpcR049JqGEvNZrmDLkpgoo63v4gvEtwLp0KRbSBL5J vVlNnz8s5Uk68i8diY/zGt1epP72C2S6C3AUHKdYZiwvxBQwd34Sawna jZMjfAkXEH5z9cjkk1AVm0ReRPs9kbVc0iPDLcH+z21VJBZyFmloOflM EXU= ;; Query time: 838 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Oct 19 08:49:24 2012 ;; MSG SIZE rcvd: 288 > On 09/12/2012 10:44 PM, Paul Wouters wrote: > > On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote: > > > >> On 08/23/12 20:02, Paul Wouters wrote: > >> > >>> I put up the xpi as well, you can grab it at: > >>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi > >> > >> I like it. > >> > >> However, there might be room for improvent in the wording of the the > >> messages. > >> > >> I deliberately broke the TLSA record (https://forfun.net/) and the > >> message is (in green): > >> > >> "Domainname is secured by DNSSEC and the certificate is validated by > >> CA." > >> > >> Both true, but as a paranoid user, I would have appreciated a little bit > >> more information, like: > >> > >> "... but the certificate did not pass a DANE check" > >> > >> (or something similar) > > > > It should do that. When I check your domain it tells me there is no TLSA > > record, but I checked all name servers and it is there (and incorrect) > > > > I'll add it on my TODO list :) > > > > Paul > > _______________________________________________ > > dns-operations mailing list > > dns-operations@lists.dns-oarc.net > > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > > dns-jobs mailing list > > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > > _______________________________________________ > dane mailing list > d...@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
