Hi Timothe, it's hard to debug without details, but in this case I suspect that NSEC/NSEC3 is broken at your site - either at the authoritative side, or resolver side.
If you cannot send the names, please try to resolve: dig IN TLSA _443._tcp.<site_name> and send us anonymized output. Example outputs: Site with TLSA: +++++++++++++++ $ dig IN TLSA _443._tcp.www.nic.cz ; <<>> DiG 9.9.5-4.3-Debian <<>> IN TLSA _443._tcp.www.nic.cz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45919 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; ***************************************************** ;; NOTE: The *AD* flag is here indicating secure DNSSEC. ;; ***************************************************** ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_443._tcp.www.nic.cz. IN TLSA ;; ANSWER SECTION: _443._tcp.www.nic.cz. 1794 IN TLSA 3 1 1 6F86DD26212E613900BDC6DB753955CE4FF43644ED97D83E8C0D1E07 018E9FE8 ;; AUTHORITY SECTION: nic.cz. 1482 IN NS d.ns.nic.cz. nic.cz. 1482 IN NS a.ns.nic.cz. nic.cz. 1482 IN NS b.ns.nic.cz. ;; ADDITIONAL SECTION: d.ns.nic.cz. 16230 IN A 193.29.206.1 d.ns.nic.cz. 16230 IN AAAA 2001:678:1::1 ;; Query time: 0 msec ;; SERVER: 172.20.20.254#53(172.20.20.254) ;; WHEN: Thu Oct 16 11:53:32 CEST 2014 ;; MSG SIZE rcvd: 191 Site without TLSA: ++++++++++++++++++ $ dig IN TLSA _443._tcp.www.fio.cz ; <<>> DiG 9.9.5-4.3-Debian <<>> IN TLSA _443._tcp.www.fio.cz ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 61260 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; *************************************************************************** ;; NOTE: The *AD* flag is here indicating secure DNSSEC on non-existant domain ;; *************************************************************************** ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;_443._tcp.www.fio.cz. IN TLSA ;; AUTHORITY SECTION: fio.cz. 3600 IN SOA ns1.fio.cz. admin.fio.cz. 2014101501 21600 3600 1800000 3600 ;; Query time: 12 msec ;; SERVER: 172.20.20.254#53(172.20.20.254) ;; WHEN: Thu Oct 16 11:53:59 CEST 2014 ;; MSG SIZE rcvd: 95 Cheers, -- Ondřej Surý -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laboratoře CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:[email protected] http://nic.cz/ ------------------------------------------- ----- Original Message ----- > From: "Timothe Litt" <[email protected]> > To: [email protected] > Sent: Tuesday, October 14, 2014 11:15:45 PM > Subject: [dnssec-validator-users] DANE 'bogus bogus' > Validator 2.1.2 (Latest on Firefox plugins site), Firefox 32.0.3 > > A site which is secured by DNSSEC, but not by DANE (there is no TLSA > certificate) reports: > > * (Green rectangle) Secured by DNSSEC > * (Circled Red padlock) 'Bogus DNSSEC signature' on hover. Click on > the icon adds 'This domain name is secured by DNSSEC but an invalid > domain name signature has been detected...' > > This is confusing. There is a good DNSSEC signature. There is NO DANE > certificate; this isn't bogus, it's normal. And the place where it > might be IS DNSSEC-secured. > > The DANE indicator should say 'Not signed by DANE' in this case. Or > perhaps it should disappear. And the 'invalid domain name signature' > message should include the failing name if it's not the one in the > address bar. (e.g. ' but ns2.example.net has an invalid signature') > > I'd rather have one indicator for both verification types; it's clearer > for the end user and uses less space on the address bar. > > I think the cases are: > Good (Valid signature(s), no problems): > o 'Secured by DNSSEC' > o 'Secured by DANE' > o 'Secured by DNSSEC & DANE' > > Neutral (Sadly, most sites): > o 'Not secured by DNSSEC or DANE' > > Bad (At least one signature exists, but fails validation): > o 'Bad DNSSEC signature' > o 'Site certificate does not match DANE' > o 'Bad DNSSEC signature AND site certificate does not match DANE' > > Very Bad (Inconsistent signatures): > o 'Secured by DNSSEC, but site certificate does not match DANE' > (*ONLY* when TLSA is present) > o 'Secured by DANE, but DNSSEC signature is bad' > > -- > Timothe Litt > ACM Distinguished Engineer > -------------------------- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > > > > _______________________________________________ > dnssec-validator-users mailing list > [email protected] > https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users _______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
