Warren Kumari wrote: > > Mark Andrews <[email protected]> wrote: >> >> sandoche BALAKRICHENAN writes: >>> Hi Paul, >>> >>> I have deliberately added a bogus RRSIG record to >>> "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to >>> successfully validate mentioning "the domain is secured by DNSSEC". >>> >>> Sandoche. >> >> Well the TLSA is secure. As long as that matches the CERT returned it *is* >> secured even if the RRSIG on the A RRset is broken. > > Ooooh? This is an interesting case (which I personally hadn't considered)... > > This all makes sense, but "feels" odd? Not proposing that we do > anything, but it did make me blink?.
Somehow I can not follow your discussion. What exactly do you mean by "added a bogus RRSIG record"? If the DNSSEC signature on the TLSA record can _not_ be verified, then the Browser MUST NOT flag the Server as being DANE-verified. When the server cert has been issued from a public CA, and the zone is either without DNSSEC or verifiably without TLSA record for the server, then the browser is doing a regular TLS handshake and traditional (rfc2818 section 3.1) server endpoint identification. Certs from private CAs or self-signed certs must continue to result in the scary-page. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
