> From: Tony Finch <[email protected]> > > Is there something somewhere (preferably a browser) that can check > > (preferably use to make a TLS connection) TLSA records ? > > A few implementations I found...
thanks for your list and your effort, > https://github.com/pieterlexis/swede I knew about Swede, but it seems to require some strange (to me) Python bits and perhaps unbound (instead of BIND), besides not being anything like a browser. Perhaps I should also mention that Debian or Ubuntu would not be be my 1st or 2nd preference for a test system. > https://github.com/kirei/openssl-dane I didn't know about that one, but it's also nothing like a browser. I could pipe dig output through some filters to openssl and so convince myself that my delusions about DANE are consistent. That wouldn't give the warm feeling of a browser not whining about my certs. > https://mattmccutchen.net/cryptid/index.html I also didn't know about that one. Its README.dane makes it sound like Swede but more so. > https://os3sec.org/ I tried that one last week but was unable to get it to do anything besides kill Firefox. Comments on the Firefox Add-Ons page suggest that my personal problems are not unique. > http://git.kirya.net/?p=debian/sshfp.git I looked at that one last week. It seemed like Swede but more so...or perhaps less. Once I stopped assuming that it is archane and hard, it seems easy to generate IETF TLSA records with `openssl x509` and filters like `od` and `awk` from existing certs. > You might get some more answers on the [email protected] list. I was hoping to avoid asking the IETF for reasons that were stale 10 years ago. I had already looked through those archives without finding anything but the Chrome mechanism. I was hoping for something like the Chrome mechanism but for RRs that someone other than Google would use. I've poked at current and canary Chrome on a Windows 7 box. According to my resolver logs, it asked once, days ago for that experimental RR for that special domain. Since them I've been unable to get it to ask for that domain again, even with all the restarting and cache flushing that I (don't really) understand in Chrome. I've been unable to get it to ask for the experimental type and equivalent derived query names for my domains or even any DNSSKEY RRs; according to tcpdump and BIND debug logging, it only gets As and AAAAs and whines about my certs. I'll look more closely at your list and eventually pick one to do a not quite, before-pre-smoke test of my RRs on a Linux test box. It looks as if I'll be ahead of pack as long as I do that in the next 3 or 4 years. I'm very disappointed. It seems that despite years of talk, DANE is not ready for discussion in the trade press blogs, not to mention prime time. Given the lack of readiness or antipathy of registrars for basic DNSSEC, I probably shouldn't be surprised. DNSSEC and DANE are beginning to seem less substantial than the vaporware from the ISO OSI protocol gurus 25 years ago. thanks again for your list and your effort, Vernon Schryver [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
