Re: [dane] Fwd: New Version Notification for draft-york-dane-deployment-observations-00.txt

Mon, 10 Nov 2014 08:47:01 -0800 

On Mon, Oct 27, 2014 at 11:32:23PM +0000, Viktor Dukhovni wrote:

> What would be even more helpful is a site that not only tests DNSSEC
> validation and checks for the presence of TLSA RRs, but also connects
> to the domain's MX hosts and reports whether the TLSA RRs match
> reality!  I may end up partnering with some folks to build this,
> but if anyone wants to do it for us, that would be great.
> 
> A 3-4% error rate in deploying TLSA records is too high, we need
> better deployment validation tools.  And more prominent guidance
> to pick just either of "2 0 1" or "3 1 1" for SMTP.
> 
> I'm also considering releasing a tool that validates a server's
> off-line chain file against an off-line TLSA RRset.  This would
> allow folks to test before they break their server, rather than
> immediately after.

Speaking of testing, the Deploy360 site's list of test servers is
in need of ongoing maintenance.  A noticeable fraction behave
differently than advertised.  The data at

    http://www.internetsociety.org/deploy360/resources/dane-test-sites/

is quite dated.  It should probably be kept up to date or withdrawn.

-- 
        Viktor.

(The "Address records insecure" result below is how I avoid sending
TLSA queries for unsigned zones where these are likely to be
mishandled, and unlikely to be secure, see the SMTP draft for
details).

--- Testing fedoraproject.org...
;; Passed(depth 1, hostname fedoraproject.org): fedoraproject.org. IN TLSA 0 0 
1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16D7CB17C0
--- Exit code: 0

--- Testing www.freebsd.org...
;; Passed(depth 0): www.freebsd.org. IN TLSA 3 0 1 
3F86A1FA85F6E5169CB27BF25C863805EBFD3225A16AADB75587804680992096
--- Exit code: 0

--- Testing torproject.org...
;; Passed(depth 0): torproject.org. IN TLSA 3 1 1 
578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10D2A58DA5
--- Exit code: 0

--- Testing jhcloos.com...
;; Passed(depth 3, hostname jhcloos.com): jhcloos.com. IN TLSA 1 1 1 
597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
;; Passed(depth 0): jhcloos.com. IN TLSA 3 1 1 
597CC279D90F0FB950B540921C4A76916590A2B7DEDDDDBC353C65337160E1A8
--- Exit code: 0

--- Testing www.kumari.net...
;; Passed(depth 4, hostname *.kumari.net): www.kumari.net. IN TLSA 1 0 1 
8D930A464843E08660E3FD1DDCE8ED4269CC0CD9CD53A8A306BCE8ABCF47AEF5
--- Exit code: 0

--- Testing good.dane.verisignlabs.com...
;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3
--- Exit code: 0

--- Testing www.statdns.net...
;; Failed: www.statdns.net. IN TLSA 3 0 1 
C1D6431EAB897824E3A767A3CBE3B200D9160B20B0B5684C851C47782787D286: certificate 
not trusted: (27)
--- Exit code: 1

--- Testing dougbarton.us...
;; Passed(depth 3, hostname dougbarton.us): dougbarton.us. IN TLSA 1 0 2 
F994F42839BE5C864F143A037D4E96BB0F559AD7284C57EA09BF6A69D37C1D8359E57C604BB42A9A56586DB21E700404C38B8152365C03543BBF210A4FE30E08
--- Exit code: 0

--- Testing hacklab.to...
Address records insecure
--- Exit code: 255

--- Testing nohats.ca...
;; Passed(depth 0): nohats.ca. IN TLSA 3 1 1 
462573195C86E861ABAB8ECCFBC7F0486958EFDFF9449AC10729B3A0F906F388
--- Exit code: 0

--- Testing www.nlnetlabs.nl...
;; Passed(depth 0): www.nlnetlabs.nl. IN TLSA 3 1 1 
F7DB964ED80ED0773F82A21997B2DCBAE434AE821AB1E3E337AD0CCFBFE2359F
--- Exit code: 0

--- Testing www.vulcano.cl...
;; Failed: www.vulcano.cl. IN TLSA 3 0 1 
5F301AD10923161E74EC4951C052C97963FEBCCB093019618964D69CAF7B5B34: unable to get 
local issuer certificate: (20)
--- Exit code: 1

--- Testing www.huque.com...
;; Passed(depth 0): www.huque.com. IN TLSA 3 0 1 
0013BEF11B875A58F3B0B1D7A0D439A608277F58433BBB12245B2A28B398C281
--- Exit code: 0

--- Testing dane.nox.su...
DNS Lookup failed: dane.nox.su IN A ?: SERVFAIL
--- Exit code: 255

--- Testing rover.secure64.com...
;; Failed: rover.secure64.com. IN TLSA 3 0 1 
D7D680E82EDA59B910D4CF37EC8398432251650A176A20E08ABE45DA728266EF: self signed 
certificate: (18)
--- Exit code: 1

--- Testing rogue.nohats.ca...
;; Failed: rogue.nohats.ca. IN TLSA 3 0 1 
0000000000000000000000000000000000000000000000000000000000000000: unable to get 
local issuer certificate: (20)
--- Exit code: 1

--- Testing bad-hash.dane.verisignlabs.com...
;; Failed: bad-hash.dane.verisignlabs.com. IN TLSA 3 0 1 
9999999999999999999999999999999999999999999999999999999999999999: certificate 
not trusted: (27)
--- Exit code: 1

--- Testing bad-params.dane.verisignlabs.com...
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 119 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error 
processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 51 0 1 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error 
processing TLSA RR
;; Failed: bad-params.dane.verisignlabs.com. IN TLSA 3 0 17 
0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3: error 
processing TLSA RR
--- Exit code: 1

--- Testing bad-sig.dane.verisignlabs.com...
DNS Lookup failed: bad-sig.dane.verisignlabs.com IN A ?: SERVFAIL
--- Exit code: 255

_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane

Reply via email to