Dane testing and posttls-finger ???

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 9 16:04:16 CEST 2015 

On Thu, Apr 09, 2015 at 08:40:27AM -0400, John Allen wrote:

> When I try "posttls-finger dane.sys4.de" I get the following.  I have
> emphasized a couple of areas in the following text that cause me some
> concern.
> 
> posttls-finger: Connected to dane.sys4.de[194.126.158.134]:25

No TLSA records were found.  Your DNS resolver is not returning
the "AD" bit for this domain.  Check /etc/resolv.conf.

I get:

    $ posttls-finger -c dane.sys4.de
    posttls-finger: using DANE RR: _25._tcp.dane.sys4.de IN TLSA 3 0 1 C8:B7:60:93:10:0F:05:3B:95:B5:12:DA:D8:B5:9B:B3:43:02:F7:6B:A8:C0:7E:D8:7F:BF:56:65:BF:05:F1:D1
    posttls-finger: dane.sys4.de[194.126.158.134]:25: depth=0 matched end entity certificate sha256 digest C8:B7:60:93:10:0F:05:3B:95:B5:12:DA:D8:B5:9B:B3:43:02:F7:6B:A8:C0:7E:D8:7F:BF:56:65:BF:05:F1:D1
    posttls-finger: dane.sys4.de[194.126.158.134]:25: Matched subjectAltName: dane.sys4.de
    posttls-finger: dane.sys4.de[194.126.158.134]:25: subjectAltName: sys4.de
    posttls-finger: dane.sys4.de[194.126.158.134]:25 CommonName dane.sys4.de
    posttls-finger: dane.sys4.de[194.126.158.134]:25: subject_CN=dane.sys4.de, issuer_CN=StartCom Class 2 Primary Intermediate Server CA, fingerprint=41:B5:70:D5:35:68:72:B2:64:4C:5E:DE:74:52:23:E1:3B:3A:03:07, pkey_fingerprint=E5:CD:96:DD:35:8C:91:30:75:5B:D0:66:47:1D:CD:83:39:9A:D5:CC
    posttls-finger: Verified TLS connection established to dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

With the first line showing working DNSSEC resolution.

> posttls-finger: Untrusted TLS connection established to dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

As a result, authentication fails, since no CAs are trusted by
default, and the default security level is opportunistic "dane"
not CA-based "secure".

> Certificate verification fails and I wind up with an untrusted connection.
> Is this something I did or is there a real problem?

Your server's local DNS resolver is not a DNSSEC validating resolver.
Or perhaps is not even local.

To enable outbound DANE, you need an /etc/resolv.conf with
127.0.0.1 as the only nameserver, and DNSSEC validation
via the ICANN root enabled in that resolver0.

-- 
	Viktor.

More information about the dane-users mailing list