In message <[email protected]>, Martin Rex writes: > Warren Kumari wrote: > > > > Mark Andrews <[email protected]> wrote: > >> > >> sandoche BALAKRICHENAN writes: > >>> Hi Paul, > >>> > >>> I have deliberately added a bogus RRSIG record to > >>> "https://dane-broken.rd.nic.fr";. But the firefox add-on seems to > >>> successfully validate mentioning "the domain is secured by DNSSEC". > >>> > >>> Sandoche. > >> > >> Well the TLSA is secure. As long as that matches the CERT returned it *i > s* > >> secured even if the RRSIG on the A RRset is broken. > > > > Ooooh? This is an interesting case (which I personally hadn't considered).. > . > > > > This all makes sense, but "feels" odd? Not proposing that we do > > anything, but it did make me blink?. > > > Somehow I can not follow your discussion. > What exactly do you mean by "added a bogus RRSIG record"?
The A and SOA signatures were broken, not the TLSA. > If the DNSSEC signature on the TLSA record can _not_ be verified, > then the Browser MUST NOT flag the Server as being DANE-verified. It could be verified. > When the server cert has been issued from a public CA, and the > zone is either without DNSSEC or verifiably without TLSA record > for the server, then the browser is doing a regular TLS handshake > and traditional (rfc2818 section 3.1) server endpoint identification. > > Certs from private CAs or self-signed certs must continue to > result in the scary-page. > > -Martin > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
