In message <[email protected]>, Warren Kumari wri tes: > > On Oct 18, 2012, at 5:56 PM, Mark Andrews <[email protected]> wrote: > > >=20 > > In message <[email protected]>, sandoche BALAKRICHENAN writes: > >> Hi Paul, > >>=20 > >> I have deliberately added a bogus RRSIG record to > >> "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to > >> successfully validate mentioning "the domain is secured by DNSSEC". > >>=20 > >> Sandoche. > >=20 > > Well the TLSA is secure. As long as that matches the CERT returned = > it *is* > > secured even if the RRSIG on the A RRset is broken. > > Ooooh=85 This is an interesting case (which I personally hadn't = > considered)...=20 > > This all makes sense, but "feels" odd=85 Not proposing that we do = > anything, but it did make me blink=85.
It also helps w/ DNS64. You don't need to care if the AAAA lookups are forged or not for https connections as long as you get to a server which presents the correct certificate and passes the handshake. You do need to care for http connection. Mark > W -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
