unfortunately, Bloodhound web-browser (which is tweaked for native support of DNSSEC & TLSA/DANE) does not yet have a windows port/release :(
I would agree completely, these addons have many more bugs and far from perfect. Even in "3 s m" or "2 s m" detection & verification, not very consistent yet. For example, even by using last release of these addons, when such sites/zones are visited : "mozilla.org" or on "addons.mozilla.org" , both are DNSSEC signed zones/sites (though, no TLSA rr yet). Addons showed those are not signed or secured by DNSSEC ! But for other major or more publicly known dnssec signed + TLSA based sites/zones, these addons do seem to show DNSSEC+DANE info/icon correctly, specially when "3 s m" based (aka: end-entity cert, domain-issued cert) TLSA exists for _443._tcp (HTTPS). In an attempt to create and test a TLSA "2 s m" implementation for HTTPS, apparently these addons did not show correct info. But it could also be that, our test RR implementation were wrong, or, TA cert and other cert were not in chain properly. So very likely internal source-codes are tuned for limited TLSA cases only. BTW, "Cipherfox" firefox-addon can visually show PKI cert chain, it appears inside (early mentioned) DNSSEC addon's popup/info window (when icon is clicked on), but afaiu this addon does not do any DNSSEC or DANE. It would have been great, if those two addons could show cert chain or debug info on which exact certs or chain of certs these addons have checked/verified. And even when configured in firefox to show debug info, those two addons do not actually show detail debug info. And if those two addons are further improved for using with Thunderbird for _993 , _995 , _25 , _465 based services then that would have been very helpful. Currently those two addons do not understand those DNS RR. -- Bright Star. Received from Viktor Dukhovni, on 2013-05-28 6:29 PM: > On Tue, May 28, 2013 at 05:56:02PM -0700, Bry8 Star wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > > http://xkcd.com/1181 > >> on windows side, users (including me) are using, two firefox addons: >> "Extended DNSSSEC Validator" (www.os3sec.org), > > The code I found for this on github does not support certificate > usage 0 or 1 and ignores the TLSA RR selector, always matching the > certificate and not the public key. It appears to hardcode port > 443 for TLSA RR lookups, rather than use the port from the URI. > It is far from clear how it handles name checks. Likely many more > problems. > > At first glance it is a toy not suitable for serious use. > >> "DNSSEC Validator" >> (www.dnssec-validator.cz), and these two are able to use a local or >> remote DNSSEC validation supported DNS-Resolver/Server, and seems to >> be able to handle at-least "2 s m" and "3 s m" TLSA cases. > > I have not had a chance to look at this in detail and I don't know > much about writing browser plugins, so it is not clear how one > robustly hooks into the browser's HTTPS connection establishment > process. I would recommend using browsers that support DANE natively, > via a properly reviewed implementation in the browser itself. I'd be > suspicious of the safety of addons. > > Perhaps someone else can take a stab at it. My impression is that > a non-trivial fraction of the early implementations are substantively > flawed. Caveat emptor. >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
