On Thu, Dec 17, 2015 at 05:05:50PM +0100, Dirk Stöcker wrote: > Yesterday updating the tlsa tool I thought about making a set of domains > which contain different errors or non-errors for DANE-TLSA records, like > DANE-TA with incomplete TLS chain, but the missing part in full cert TLSA > record and similar examples. > > Before doing so I want to ask if maybe there exists something already. I > found http://dane.verisignlabs.com/, but that does no provide all > possibilities.
I'm not aware of any on-line comprehensive stress tests for DANE verifiers. If I were doing this, I'd create a "test-in-a-box" package, that can deploy the various certificate chains on the tester's machine, rather than a central on-line system. The tests could even be done without DNSSEC, just based on configured tuples of domain names, TLSA RRsets, chains and expected outcome. Take a look at test/danetest.in from the "master" breanch of OpenSSL at https://github.com/openssl/openssl.git. This contains some DANE verifier tests that can run anywhere, because the TLSA records are fabricated as part of the test, not fetched from DNS. Of course one still wants to know that a complete application using a verified toolkit is doing the enforcement correctly, and some live tests with DNS and all that are also useful, but need not be quite as combinatorially complete. This too can be done "in-a-box", with a server that picks a chain based on the SNI name, and domains under ".localhost" or the site's own prefix. -- Viktor.
