Hello, try downloading the latest version here: https://www.dnssec-validator.cz/pages/download.html
Could you provide the address of the page? Am 14.10.2014 23:15, schrieb Timothe Litt: > Validator 2.1.2 (Latest on Firefox plugins site), Firefox 32.0.3 > > A site which is secured by DNSSEC, but not by DANE (there is no TLSA > certificate) reports: > > * (Green rectangle) Secured by DNSSEC > * (Circled Red padlock) 'Bogus DNSSEC signature' on hover. Click on > the icon adds 'This domain name is secured by DNSSEC but an invalid > domain name signature has been detected...' It appears that the domain is DNSSEC-signed but the actual signature of the TLSA query response could not be validated because of various reasons. > > This is confusing. There is a good DNSSEC signature. There is NO DANE > certificate; this isn't bogus, it's normal. And the place where it > might be IS DNSSEC-secured. > > The DANE indicator should say 'Not signed by DANE' in this case. Or > perhaps it should disappear. And the 'invalid domain name signature' > message should include the failing name if it's not the one in the > address bar. (e.g. ' but ns2.example.net has an invalid signature') I don't think so. If the response could not be validated by using DNSSEC then a 'Not signed by DANE' would be wrong. 'Not signed by DANE' is used when there is a valid NO TLSA record response which is correctly signed by DNSSEC. > > I'd rather have one indicator for both verification types; it's clearer > for the end user and uses less space on the address bar. > > I think the cases are: > Good (Valid signature(s), no problems): > o 'Secured by DNSSEC' > o 'Secured by DANE' > o 'Secured by DNSSEC & DANE' > > Neutral (Sadly, most sites): > o 'Not secured by DNSSEC or DANE' > > Bad (At least one signature exists, but fails validation): > o 'Bad DNSSEC signature' > o 'Site certificate does not match DANE' > o 'Bad DNSSEC signature AND site certificate does not match DANE' > > Very Bad (Inconsistent signatures): > o 'Secured by DNSSEC, but site certificate does not match DANE' > (*ONLY* when TLSA is present) > o 'Secured by DANE, but DNSSEC signature is bad' > > > > _______________________________________________ > dnssec-validator-users mailing list > [email protected] > https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users > _______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
