Dear Sir/madam,
My name is Sirach Vassallo and I am reading a B.Sc. Degree in Computer
Networks. As for my thesis, I am researching the DANE protocol. My research
includes the Limitations of PKI, DNSSEC and DANE as an alternative to PKI.
Part of my thesis includes the implementation of such protocol. However, I
am having a problem when it comes to TLSA validation by clients. Please, I
would like to ask some questions so that I may continue with my research. I
would really appreciate someone's help!
I have implemented DNSSEC for my domain: danetest.com. I am using BIND
9.9.5 on Ubuntu Desktop 12.04 LTS. I am using zonesigner from the
DNSSEC-Tools to sign my zone.
I have one primary DNS server and one Slave - both Ubuntu 12.04. I also
have another server (Windows Server 2012) running IIS 8 with 2 websites
verified.danetest.com and broken.danetest.com. I created self-signed
certificates for each of these websites and I am making use of SNI for
mapping these certificates to the correct hostname.
As for the client, I am using the DNSSEC/TLSA Validator extension on
Firefox (https://www.dnssec-validator.cz/) on Mac OS X 10.9.2.
I am attaching with this email the *db.danetest.com
<http://db.danetest.com>* and* db.danetest.com.signed* configuration files.
This is my TLSA record for verified.danetest.com
_443._tcp.verified.danetest.com. IN TLSA 3 0 1 (
baf3515d2695e25a2e4e850d909b4a446cdb7de3df2dfc116d36bb4afd94f99c )
I am generating the TLSA record by using this online tool:
https://www.huque.com/bin/gen_tlsa.
As the online tool requires a PEM format of the certificate, I am
converting the .pfx (created from IIs) to .pem using openSSL.
My question is, am I implementing the TLSA RR correctly? Since the client
extension is saying that the name verification is failing.
Should the Usage, Selector and Matching type fields be in number bits or
words as listed in the draft: draft-ietf-dane-ops-03 ?
Also, does the TLSA record needs to be inserted into the signed zone file?
or the normal unsigned conf file? I tried both, however, when using the IN
TLSA DANE-TA Cert SHA2-256 format instead of numbers, the zonesigner daemon
gave me an error saying that the format is not supported.
I would really appreciate your help. Thank you in advance, and hope to hear
from you soon.
Regards,
Sirach Vassallo
m. 00 356 99491210
e. [email protected]
; File written on Wed Mar 19 23:55:53 2014
; dnssec_signzone version 9.9.5-2-Ubuntu
danetest.com. 604800 IN SOA ns1.danetest.com. mail.danetest.com. (
2014031902 ; serial
604800 ; refresh (1 week)
86400 ; retry (1 day)
2149200 ; expire (3 weeks 3 days 21
hours)
604800 ; minimum (1 week)
)
604800 RRSIG SOA 8 2 604800 (
20140418215553 20140319215553 46794
danetest.com.
JCX07phHMOO0jWHmhb37E3FgbYCUhgsac3KZ
frky+WmxquMurYzh2hp544rdaNIXKeke1Cz/
jsKo4sejneYwlBM/BFWbu+H9XH6DZ+3rqx5y
34xZhc/Yp6CiotbERXShPixb+J5OmlXfMRWF
fC7q4/AZ8a446hzBXPAdZWdUra8= )
604800 NS ns1.danetest.com.
604800 NS ns2.danetest.com.
604800 RRSIG NS 8 2 604800 (
20140418215553 20140319215553 46794
danetest.com.
O9nVTRzdH/VlA8Rkjk9u0crFkMoaQuVluyVu
VaeoUc0Jy7ri47mge+zbMhzNJ3ijPdUNF3NX
iPYpEWuzK9i1cUOz8rfHgOmUBEVzzte10lJz
oEafrlwTPRZUjCHaC5uM3ReDsf5gbGJ7flIR
KMB39KYXBHfn9HaLdsoBP5XYYo4= )
604800 A 195.158.106.10
604800 RRSIG A 8 2 604800 (
20140418215553 20140319215553 46794
danetest.com.
h12J6fggnpB0QZKxOXXihDaUBsAZCjw8DTZs
X51il/cRlGOBTAdQUlMj4UprJFanWXO2Gg4n
RplyXlu85y8Xb6gOVd7CXV+K/P1o27fN4Jpu
6v6IQ1t2TyK4jmdmGJ40Of/G9xkXptI3mf4O
HpSlFo5bjidp0SsGbPr2kAvy52U= )
3600 MX 10
f840761f07077e43849670877f8be9.pamx1.hotmail.com.
3600 RRSIG MX 8 2 3600 (
20140418215553 20140319215553 46794
danetest.com.
txAfWISdUvnGGWL0mpHpxaBTTi/xHipuiQi0
FOPwnZTGEdZm39oiy5/7hhDts+yaNpMPgWET
r9pmuhsue2YGLFbMYaP8HvDnjFEK7XIFKz7W
rDxMFONjiiHUwRTggvEcFFIpHQQsXSGjEDw8
hO/JboqblrczxPiFP/S0JCETB0A= )
604800 NSEC broken.danetest.com. A NS SOA MX RRSIG
NSEC DNSKEY
604800 RRSIG NSEC 8 2 604800 (
20140418215553 20140319215553 46794
danetest.com.
AqHCsCOfjMAtJVk9TFd+LgLwJU2jX2rLdNZR
7058n06NHNfhWLpvO0yrGgjq+23DZlqW/uRk
Wc365rSBgvHTCyt2Y/6ig9UfoNGPeL0Wu3VG
V+pSIsX01W9sncwvTuYEGYoaNjwnPLLatUwM
sye01ve5OFCmZeggieiiyHSmFcQ= )
604800 DNSKEY 256 3 8 (
AwEAAaJSjPyeseZgIfuQ3k6ZjlG88zxD6IEZ
kGVOadRaxE4aSNFu2BObN9NEjtAL73WMpCCt
U50s4szSiIHARZVRJd2p6JM+8OY8lddNC7zx
5SalNOONCmu8hktJFLTgFC9GAAOm0vE8KQgM
/TC2p8EWxGQCwyPmbWB4OWhryooTE47T
) ; ZSK; alg = RSASHA256; key id = 27600
604800 DNSKEY 256 3 8 (
AwEAAeYcRw8gr36VrZg5nuIynDEt26y58dEj
QrMoq2hHMUu/DJZX6/jQ8Q6JMURkC9dWwZoR
/ZakKRdLkQh8gT/QyYGoxsj1n0iDJYrRkdWO
0v2fkZmZUO5PFwekmHJkljemXDfy5WuXTtRF
GehYL4bkLZYD9Tt5kpS6GHPnF9ak8Iab
) ; ZSK; alg = RSASHA256; key id = 46794
604800 DNSKEY 257 3 8 (
AwEAAcuyFhTpzjlY7TUxV/3f43leCFGFsgx1
qJXZCraIr8pa80vz0gqvfQsmWSMo5KudF27R
sc5mi9NIMdnpUy75QY69RHR4yTy09ANu/TVg
PM+Ohx/vHzlXZFv8c9zzxv1TURHKQ35HL0/V
1SKz6jWCIxLMu8pl4Qs+AeuHb/ucfyZk0zVN
h8ylmGAheGHOepZX4BnRCp/F4HyJiS76HCB0
NNwUcKqVzlJ37x2aa/6A56MsHXGvpsqs/AZZ
qQ5/m78Eb6fdFgi7hNXnvyHUPtXn9TDvgZDr
USwPzoBGhpCvRsLp744FP0RSqFT+LP0xZbMo
bQVRnMrpuJgRiR/bezG0nls=
) ; KSK; alg = RSASHA256; key id = 46942
604800 RRSIG DNSKEY 8 2 604800 (
20140418215553 20140319215553 46794
danetest.com.
Ij7gjYtc0QAVO5DMxGHlBURAQwoboSqLPYBf
Y8PshpuN3UruViFVKbl+GzsBLhD95TnXIrw7
WpLxi6eNdakITNDHMmnNrJcScjiKLEWrQgg1
vjvsNAqS/CM9RzNOlaB8/eyJ61sAdpp46ZqG
Tithnha7LPP0nY8lurwByQIYjR0= )
604800 RRSIG DNSKEY 8 2 604800 (
20140418215553 20140319215553 46942
danetest.com.
Tt0PAqYoi/Ynsas1P5NomxE1wfDvZl/5mLo5
lfxwJ2ZORyvJXztsSF5OMmZrRcfuaRBb12NM
Dl73Wem3DjqJo3Xa+X+T9O5yJvlxUn+SwGBW
AHlCJukZ/9BkqQhaU+21UIs4h5UzYZEmlNy6
eHXekAfxMVer8tzmYdjF+icwBCZSkv4JQkvO
Z7v71U1qClpDifq6ns3Fp0NkvZ+Zmpun5fQG
f2tkKi500gfLzyiXO1/V4o+6COVmzV41Vn3o
qyDTvxA+klcIqIeiSSvE60iWeQCSUMDF8MT9
NKWHVup8nEArRvG01Rwv6VlxfJs6pat9QR42
Yd+oBpABS2OFf/y5XQ== )
broken.danetest.com. 604800 IN A 195.158.106.10
604800 RRSIG A 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
hTvClRx+Fl8EBEYKav7TqtdVxJO4GUMlNjQW
7HdIOvGOdQU2xH6FShvohFUj1ea/0a/bGHKQ
2qVcgkSbboIRFbrLj/XRf55wZMGC/81diClN
4LT323iulUCjZYe9Rcli5eWN8E7UKB9lk2Tv
gR5IJrMYaDc/tyV6WXTNOevHsxY= )
604800 NSEC mail.danetest.com. A RRSIG NSEC
604800 RRSIG NSEC 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
mTD9eddQcad4VWuY9mGBivG+yRAkIoynEobJ
1UPcX+EPVGnzFV8WeV6cZ7HwhLZUq3jj2kUf
KOoTcaXrCmxrmWrKJ5pa5EtJU4A7OjJJUJOF
fQ7SLM5BqlST7xpfMGYlDZ2T8mEmwXYhLW8C
vxEI8sCpNqKiK1g+xBIgGK7jypA= )
mail.danetest.com. 604800 IN CNAME go.domains.live.com.
604800 RRSIG CNAME 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
CuQuTYDW7ig9yJ0uNZmdtqcp8FEMUYakCm6P
afDAyXIETSv+/BwpgMsvs1GrO+X64PrMeNDm
4Mjgq3aWETBrrrEOtHxLO7DO/EZgyjzk0rT6
Jb10Fjscw/zyvV9UQuBBOgdB2FfLxr3afRqO
W79TNT1fG5uNGCBaqT1alltAJ8o= )
604800 NSEC ns1.danetest.com. CNAME RRSIG NSEC
604800 RRSIG NSEC 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
oF3eQxgLz75dS6Ha5yO3DntONqyGlnuNKe13
+9mnf1p6PgfMEYVHLtKJpnyxFphwyFLImCPQ
m8TwAC1s+fk31lzh/mqSQzLbqbwDKuhM/HKi
zbuzhhgcCMsWLSYxQaWlglfWFCpmF2PQeHOJ
du8FL4fw4CmVScdbSG/IRRaNCHk= )
ns1.danetest.com. 604800 IN A 195.158.106.10
604800 RRSIG A 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
lx5iHkuVK7vvXjFI8mM5hJYAxQuMmjhCQSkN
fGfOa/05cf4obwtGNFb6pJV7yCEbE38vKazo
SSzy4X7Lbv6jI9bFpfJQ79LwNi/g4Rl+Wbux
/RuYsy+hC6sHAaMc+ZYUIPjx/pRVUZOsacDd
Ppbl6yHZRurDBofdLk82H87645g= )
604800 NSEC ns2.danetest.com. A RRSIG NSEC
604800 RRSIG NSEC 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
Xv5E9i0MDSR6xG3kIfFvTSpEKAsmrWM87PIm
rfrfKway8sjcGe89rGCKV0+llPKn4xsBcGK3
McrMAWhMtgcs1KlDrX8g1CwAbWLeMh1jmo/I
jFzlWprOoYvxpU3uzez4NNKKG2Q+vRSV9BPh
wuJMFjpDRo6OogDhYulXznscM4Y= )
_443._tcp.verified.danetest.com. IN TLSA 3 0 1 (
baf3515d2695e25a2e4e850d909b4a446cdb7de3df2dfc116d36bb4afd94f99c )
verified.danetest.com. 604800 IN A 195.158.106.10
604800 RRSIG A 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
fOIXy2sx3fIR2lDR+4A9ZDgE+nOhkKSblM0l
jjUmE6riPdkdCrENAglL101JP9iDavQT772z
1zZrTWZv/34byqmYVvjlpQRE5nYMYxV9jV4v
rkD5ujtoI/0uR9EGjmDoHs4ocscXa2Sds/7d
ctiSK+jJ6zWiBHh3sL73QffrDXk= )
604800 NSEC danetest.com. A RRSIG NSEC
604800 RRSIG NSEC 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
w1I9nf0+KnwuULq1GUEMgacZi5I1vGboG8vn
KIpARVZGypf8UFE0sAKX9fC+X5laA/ddv3Q7
aeaF6AbB6cb8pl6CURZbS58qYxorVh9p9wGf
Jidv0vzOXl45AJs0J1bFKXtWpeJzJv1GhOiJ
lo1RMpz2y8EITvZgRe1NBIgj31g= )
ns2.danetest.com. 604800 IN A 195.158.94.27
604800 RRSIG A 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
Mw9nmYwLpLu0Gte1Z3qNuLuSs6OvGS+yrwWJ
PLC9Uj52l7JhNfqiC6+wgNdfozPswioTv/SK
qAsEIDtJB1rFgbDkZrfJjOGLuQlmxRXcPpQP
zwgnqPle4RG0CvQBS6PQS6XuSabzHTI1QRJW
s4A86WqoB+JzTlgJ+Ow4UbxTl0A= )
604800 NSEC verified.danetest.com. A RRSIG NSEC
604800 RRSIG NSEC 8 3 604800 (
20140418215553 20140319215553 46794
danetest.com.
EILZWX3MUD/iv/o0wATU86UzMEPzyROvuvIX
AUhL0j6ZKhhB+MNjiB59R5cGAxTaFdjeXpXX
DF7zLsnD2XFHsu27ysnFyYZQDc/81O9CfNbt
H4R9KDBHknye2S2HXdXSdEz/RXeQhTX7xMMX
0OXL2lw4vV3mt0cihcSMvDbWXSQ= )$TTL 604800
$ORIGIN danetest.com.
@ IN SOA ns1.danetest.com. mail.danetest.com. (
2014031902 ; Serial
604800 ; Refresh
86400 ; Retry
2149200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1.danetest.com.
@ IN NS ns2.danetest.com.
@ 3600 IN MX 10
f840761f07077e43849670877f8be9.pamx1.hotmail.com.
@ IN A 195.158.106.10
ns1 IN A 195.158.106.10
ns2 IN A 195.158.94.27
verified IN A 195.158.106.10
broken IN A 195.158.106.10
mail IN CNAME go.domains.live.com.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
