In message <d9e43306-6021-4a39-ac1f-d20ae545f...@kumari.net>, Warren Kumari wri tes: > > On Oct 18, 2012, at 5:56 PM, Mark Andrews <ma...@isc.org> wrote: > > >=20 > > In message <507fb355.4030...@afnic.fr>, sandoche BALAKRICHENAN writes: > >> Hi Paul, > >>=20 > >> I have deliberately added a bogus RRSIG record to > >> "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to > >> successfully validate mentioning "the domain is secured by DNSSEC". > >>=20 > >> Sandoche. > >=20 > > Well the TLSA is secure. As long as that matches the CERT returned = > it *is* > > secured even if the RRSIG on the A RRset is broken. > > Ooooh=85 This is an interesting case (which I personally hadn't = > considered)...=20 > > This all makes sense, but "feels" odd=85 Not proposing that we do = > anything, but it did make me blink=85.
It also helps w/ DNS64. You don't need to care if the AAAA lookups are forged or not for https connections as long as you get to a server which presents the correct certificate and passes the handshake. You do need to care for http connection. Mark > W -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
