On Thu, May 7, 2015 at 2:45 AM, Jigar Joshi <[email protected]> wrote:
> I was using this https://www.dnssec-validator.cz/ > > > I got this icon > > [image: Inline image 2] > > for a local network url which is over http (no https support for that url) > however hovering over still says secured by dnssec > > my understanding is it compares the fingerprint of certificate with one > dnssec says to check identify of host > > https://www.dnssec-validator.cz/pages/documentation.html > > doesn't list this icon (in orange color specifically and hovering over > says secured by dnssec) > > if it is not using https how can it compare fingerprint ? > It isn't / it doesn't. I'm not 100% sure what the orange color means (and I don't have the plugin installed at the moment), but the first / "key" icon is only about DNSSEC. DNSSEC simply proves that the *DNS* data hasn't been changed ( actually that is a huge oversimplification, see : http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) The second icon (://, changes to a padlock) is the "DANE" icon. :// means: "For an existing domain name this means that no HTTPS secured connection to the remote server was established. Therefore, you can not perform TLSA record validation. The authenticity of TLS/SSL remote server certificate for the domain name could not be verified by DANE protocol because the connection to the remote server is not realized via HTTPS protocol." W > > > -- > -- > Jigar > > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane > > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
