On Thu, 23 Aug 2012, sandoche BALAKRICHENAN wrote:
dpkg on the Ubuntu system. Firefox whined that the add-on is corrupt and claimed to have refused to install it, but installed something that says it is "DNSSEC/TLSA Validator 0.7".
I put up the xpi as well, you can grab it at: http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi
After giving it the IP address of my resolver, I watched the resolver log for requests for TLSA qtypes and _tcp qnames as I looked at https://fedoraproject.org I see only A and AAAA requests for fedoraproject.org
I am also seeing issues with fedoraproject.org and the plugin. I'm still investigating. It might be because of various geo locations and CNAMEs. The proper records are in the zone when I use dig: [paul@bofh paul]$ dig +dnssec tlsa _443._tcp.fedoraproject.org ; <<>> DiG 9.9.1-P2-RedHat-9.9.1-5.P2.fc17 <<>> +dnssec tlsa _443._tcp.fedoraproject.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34071 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;_443._tcp.fedoraproject.org. IN TLSA ;; ANSWER SECTION: _443._tcp.fedoraproject.org. 300 IN TLSA 3 0 1 F4BF2EAD76DA47E2EB64D6BD80335B276574E8E62617908D4917F19E 75920F22 _443._tcp.fedoraproject.org. 300 IN RRSIG TLSA 5 4 300 20120920213847 20120821213847 7725 fedoraproject.org. CP/7Wy+WE6t1B89c5NMB7moMB1J1dn4SEz5YbPAcLdtglUpGDjzczdMx 9sN0K6obkB4ljjQhlI8Vclrde7oraw0PAn7fJWfTUyupZ6NT7cTklBlE fc8KwlrfugN+wKu4D+Vg0rBZHp3yH/01obYkKFfyF8oyKPsJSa0nYiVG wbM= Note that both nohats.ca and fedoraproject.org depend on DLV. Where as dane.rd.nic.fr does not. Btw, is that record going to remain there for the next week? It will be a good demo address for my presentation at Linux Security Summit :)
==> I installed the updated version of os3sec by Paul Wouters and tested for the link "https://dane.rd.nic.fr"; which has TLSA RR's in its zone. I can see the queries for TLSA types. Please see the snapshot of wireshark. While you click on the lock symbol in the link https://dane.rd.nic.fr you can see the comment "Domain name is secured by DNSSEC and the certificate is validated by DNSSEC". Does this mean TLSA Validation is done ?
No. It just meant the DNS lookups were secured by DNSSEC. You should see this: https://nohats.ca/dane.rd.nic.fr.png stating: "Domainname is secured by DNSSEC, and TLS proved the certificate is valid (and no CA)" Obviously, if you have a signed cert by a trusted CA, it will tell you that instead. Note TLSA validation is marked with purple. (both https://nohats.ca and https://dane.rd.nic.fr work for me)
I have a question for Paul. In the preferences section for the add-on i specified the IP address of a resolver. But from the wireshark snapshot i can see the browser has accessed my default resolver. Is this a bug ?
Probably. There a few bugs still present. Caching is also problematic, and when you have dns outages (eg hotspots) then firefox will be freezing for many seconds trying to recover. It's a proof of concept, I'm hoping the mozilla people will implement it natively soon. Doing libunbound calls using pointers in javascript, is well, the worst of both worlds. I have that setting left blanc, but I do run a local unbound with resolv.conf pointing to localhost. Paul _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
