On Mon, Nov 10, 2014 at 11:39 AM, Viktor Dukhovni <[email protected]> wrote:
> On Mon, Nov 10, 2014 at 04:46:17PM +0000, Viktor Dukhovni wrote: > > > Speaking of testing, the Deploy360 site's list of test servers is > > in need of ongoing maintenance. A noticeable fraction behave > > differently than advertised. > > > ;; Passed(depth 1, hostname fedoraproject.org): fedoraproject.org. IN > TLSA 0 0 1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16D7CB17C0 > > ;; Passed(depth 0): www.freebsd.org. IN TLSA 3 0 1 > 3F86A1FA85F6E5169CB27BF25C863805EBFD3225A16AADB75587804680992096 > > ;; Passed(depth 0): torproject.org. IN TLSA 3 1 1 > 578582E6B4569A4627AEF5DFE876EEC0539388E605DB170217838B10D2A58DA5 > > ;; Passed(depth 0): good.dane.verisignlabs.com. IN TLSA 3 0 1 > 0332AA2D58B3E0544B65656438937068BA44CE2F14469C4F50C9CC6933C808D3 > > ;; Passed(depth 0): nohats.ca. IN TLSA 3 1 1 > 462573195C86E861ABAB8ECCFBC7F0486958EFDFF9449AC10729B3A0F906F388 > > ;; Passed(depth 0): www.nlnetlabs.nl. IN TLSA 3 1 1 > F7DB964ED80ED0773F82A21997B2DCBAE434AE821AB1E3E337AD0CCFBFE2359F > > ;; Passed(depth 0): www.huque.com. IN TLSA 3 0 1 > 0013BEF11B875A58F3B0B1D7A0D439A608277F58433BBB12245B2A28B398C281 > > As advertised. Mind you there should perhaps be a distinction in > the classification of test sites between sites whose TLSA RRs > actually leverage the CA they're signed by "usage 0, 1 or 2" vs. > sites with a valid CA cert, but DANE-EE TLSA records. This would > separate fedora and freebsd into separate categories. > My site (www.huque.com.) also falls into that latter category. The annotation on Dan York's page should be updated - it currently says I don't have a secure delegation, which was true at one time in the past (blame a DNSSEC oblivious registrar), but no longer. --Shumon.
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
