On Sat, 20 Oct 2012, Mark Andrews wrote:
Somehow I can not follow your discussion.
What exactly do you mean by "added a bogus RRSIG record"?
The A and SOA signatures were broken, not the TLSA.
If the DNSSEC signature on the TLSA record can _not_ be verified,
then the Browser MUST NOT flag the Server as being DANE-verified.
It could be verified.
Of course, in my case, I could not reach the server because my DNSSEC
capable resolver could not get a proper A record. When going "insecure",
I could reach it, but then it flags red because _you_ are not using a
DNSSEC resolver, and it does mistakenly claim "domainname is secured
by DNSSEC", which with a broken A record is not the case.
I'll work on fixing this.
Paul
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
