On 18 October 2012 23:43, Warren Kumari <[email protected]> wrote: > > On Oct 18, 2012, at 5:56 PM, Mark Andrews <[email protected]> wrote: > >> >> In message <[email protected]>, sandoche BALAKRICHENAN writes: >>> Hi Paul, >>> >>> I have deliberately added a bogus RRSIG record to >>> "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to >>> successfully validate mentioning "the domain is secured by DNSSEC". >>> >>> Sandoche. >> >> Well the TLSA is secure. As long as that matches the CERT returned it *is* >> secured even if the RRSIG on the A RRset is broken. > > Ooooh… This is an interesting case (which I personally hadn't considered)... > > This all makes sense, but "feels" odd… Not proposing that we do anything, but > it did make me blink….
Feels right to me - who cares what the address is if they have the right cert? > > W > > > >> >> ; <<>> DiG 9.10.0pre-alpha <<>> _443._tcp.dane-broken.rd.nic.fr tlsa +dnssec >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52053 >> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags: do; udp: 4096 >> ;; QUESTION SECTION: >> ;_443._tcp.dane-broken.rd.nic.fr. IN TLSA >> >> ;; ANSWER SECTION: >> _443._tcp.dane-broken.rd.nic.fr. 1 IN TLSA 3 0 1 >> 6E013C54DF90D42D3C016E1AC9EB21E6DA45403D3A5AE9B2D8F21FC3 600D409C >> _443._tcp.dane-broken.rd.nic.fr. 1 IN RRSIG TLSA 5 6 1 20130415134103 >> 20121017134103 24975 dane-broken.rd.nic.fr. >> UFaeHhxVp8zy1tpcR049JqGEvNZrmDLkpgoo63v4gvEtwLp0KRbSBL5J >> vVlNnz8s5Uk68i8diY/zGt1epP72C2S6C3AUHKdYZiwvxBQwd34Sawna >> jZMjfAkXEH5z9cjkk1AVm0ReRPs9kbVc0iPDLcH+z21VJBZyFmloOflM EXU= >> >> ;; Query time: 838 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Fri Oct 19 08:49:24 2012 >> ;; MSG SIZE rcvd: 288 >> >> >>> On 09/12/2012 10:44 PM, Paul Wouters wrote: >>>> On Wed, 12 Sep 2012, Marco Davids (SIDN) wrote: >>>> >>>>> On 08/23/12 20:02, Paul Wouters wrote: >>>>> >>>>>> I put up the xpi as well, you can grab it at: >>>>>> http://people.redhat.com/pwouters/mozilla-extval-0.7.xpi >>>>> >>>>> I like it. >>>>> >>>>> However, there might be room for improvent in the wording of the the >>>>> messages. >>>>> >>>>> I deliberately broke the TLSA record (https://forfun.net/) and the >>>>> message is (in green): >>>>> >>>>> "Domainname is secured by DNSSEC and the certificate is validated by >>>>> CA." >>>>> >>>>> Both true, but as a paranoid user, I would have appreciated a little bit >>>>> more information, like: >>>>> >>>>> "... but the certificate did not pass a DANE check" >>>>> >>>>> (or something similar) >>>> >>>> It should do that. When I check your domain it tells me there is no TLSA >>>> record, but I checked all name servers and it is there (and incorrect) >>>> >>>> I'll add it on my TODO list :) >>>> >>>> Paul >>>> _______________________________________________ >>>> dns-operations mailing list >>>> [email protected] >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations >>>> dns-jobs mailing list >>>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs >>> >>> _______________________________________________ >>> dane mailing list >>> [email protected] >>> https://www.ietf.org/mailman/listinfo/dane >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: [email protected] >> _______________________________________________ >> dane mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dane >> > > -- > After you'd known Christine for any length of time, you found yourself > fighting a desire to look into her ear to see if you could spot daylight > coming the other way. > > -- (Terry Pratchett, Maskerade) > > > > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
