Hi Warren,
How can it validate that dns data hasn't been modified if it doesn't have ssl certificate, what I understood was it checks finger print you get against the fingerprint it has published at dns to validate, however if the domain doesn't have ssl support at all how does it work ? please clarify if I totally misudnerstood this Thanks! Jigar On Tue, May 12, 2015 at 8:05 AM, Warren Kumari <[email protected]> wrote: > > > On Thu, May 7, 2015 at 2:45 AM, Jigar Joshi <[email protected]> wrote: > >> I was using this https://www.dnssec-validator.cz/ >> >> >> I got this icon >> >> [image: Inline image 2] >> >> for a local network url which is over http (no https support for that >> url) however hovering over still says secured by dnssec >> >> my understanding is it compares the fingerprint of certificate with one >> dnssec says to check identify of host >> >> https://www.dnssec-validator.cz/pages/documentation.html >> >> doesn't list this icon (in orange color specifically and hovering over >> says secured by dnssec) >> >> if it is not using https how can it compare fingerprint ? >> > > It isn't / it doesn't. > > I'm not 100% sure what the orange color means (and I don't have the plugin > installed at the moment), but the first / "key" icon is only about DNSSEC. > DNSSEC simply proves that the *DNS* data hasn't been changed ( actually > that is a huge oversimplification, see : > http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions) > > > The second icon (://, changes to a padlock) is the "DANE" icon. :// means: > "For an existing domain name this means that no HTTPS secured connection > to the remote server was established. Therefore, you can not perform TLSA > record validation. The authenticity of TLS/SSL remote server certificate > for the domain name could not be verified by DANE protocol because the > connection to the remote server is not realized via HTTPS protocol." > > W > >> >> >> -- >> -- >> Jigar >> >> _______________________________________________ >> dane mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/dane >> >> > > > -- > I don't think the execution is relevant when it was obviously a bad idea > in the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair of > pants. > ---maf > -- -- Jigar
_______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
