Re: DANE broken @ addons.mozilla.org?

Wed, 14 Oct 2015 09:26:18 -0700 

> On Oct 13, 2015, at 3:42 PM, Andreas Pothe <[email protected]> 
> wrote:
> 
> Hi,
> 
> can you confirm that addons.mozilla.org has a broken DANE entry?
> The DNSSEC Validator plugin in Firefox says "no DNSSEC at
> addons.mozilla.org" but "invalid DNSSEC signature".

Correct. There is no DNSSEC.

Test #  Host    IP      Status  Test Description (§ Section)
103     addons.mozilla.org              FAILED  Service hostname must have 
matching TLSA record
Resolving TLSA records for hostname '_443._tcp.addons.mozilla.org'
SECURE DNS CNAME lookup addons.mozilla.org = addons.dynect.mozilla.net.
102                     PASSED  if at any stage of recursive expansion an 
"insecure" CNAME record is encountered, then it and all subsequent results (in 
particular, the final result) MUST be considered "insecure" regardless of 
whether any earlier CNAME records leading to the "insecure" record were 
"secure". (§2.1.3)
Expanding CNAME addons.mozilla.org to addons.dynect.mozilla.net.
INSECURE DNS A lookup addons.dynect.mozilla.net. = 63.245.216.132
205     addons.mozilla.org      63.245.216.132  PASSED  Server must have End 
Entity Certificate
Fetching EE Certificate for addons.mozilla.org from 63.245.216.132 port 443 via 
https
306     a       63.245.216.132          Server EE Certificate does not PKIX 
Verify
Checking EE Certificate 'addons.mozilla.org' against system anchors
307     a       63.245.216.132  FAILED  "When name checks are applicable 
(certificate usage DANE-TA(2)), if the server certificate contains a Subject 
Alternative Name extension ([RFC5280]), with at least one DNS-ID ([RFC6125]) 
then only the DNS- IDs are matched against the client's reference 
identifiers.... The server certificate is considered matched when one of its 
presented identifiers ([RFC5280]) matches any of the client's reference 
identifiers." (§3.2.3)
Hostname addons.mozilla.org does not match EE Certificate Common Name 
'addons.mozilla.org'
403     addons.mozilla.org              FAILED  All IP addresses for a host 
that is TLSA protected must TLSA verify
Validating TLSA records for 0 out of 1 IP addresses found for host 
addons.mozilla.org
405                     FAILED  All DNS lookups must be secured by DNSSEC
404                     FAILED  No HTTP DANE test may fail
Were any DANE HTTP tests a hard fail?
Using OpenSSL Version 1.0.2d 9 Jul 2015


> 
> CU
> Andreas

Reply via email to