Validator 2.1.2 (Latest on Firefox plugins site), Firefox 32.0.3 A site which is secured by DNSSEC, but not by DANE (there is no TLSA certificate) reports:
* (Green rectangle) Secured by DNSSEC
* (Circled Red padlock) 'Bogus DNSSEC signature' on hover. Click on
the icon adds 'This domain name is secured by DNSSEC but an invalid
domain name signature has been detected...'
This is confusing. There is a good DNSSEC signature. There is NO DANE
certificate; this isn't bogus, it's normal. And the place where it
might be IS DNSSEC-secured.
The DANE indicator should say 'Not signed by DANE' in this case. Or
perhaps it should disappear. And the 'invalid domain name signature'
message should include the failing name if it's not the one in the
address bar. (e.g. ' but ns2.example.net has an invalid signature')
I'd rather have one indicator for both verification types; it's clearer
for the end user and uses less space on the address bar.
I think the cases are:
Good (Valid signature(s), no problems):
o 'Secured by DNSSEC'
o 'Secured by DANE'
o 'Secured by DNSSEC & DANE'
Neutral (Sadly, most sites):
o 'Not secured by DNSSEC or DANE'
Bad (At least one signature exists, but fails validation):
o 'Bad DNSSEC signature'
o 'Site certificate does not match DANE'
o 'Bad DNSSEC signature AND site certificate does not match DANE'
Very Bad (Inconsistent signatures):
o 'Secured by DNSSEC, but site certificate does not match DANE'
(*ONLY* when TLSA is present)
o 'Secured by DANE, but DNSSEC signature is bad'
--
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
