Dane testing and posttls-finger ???
John Allen
john at klam.ca
Thu Apr 9 19:04:16 CEST 2015
I ran the same test again, without changing anything, and it come back
without error.
not sure what that means, but just in case its of interest.
On 4/9/2015 12:09 PM, John wrote:
> My resolve.conf points to google (8.8.8.8, 8.8.4.4 + their ipv6
> equivalents).
> I have heard rumours of problems with Google DNS, I am not sure that I
> believe them but ...
> Is this their problem or mine (its mine because I have it) and what
> might be my best solution.
> TIA
> --
> Sent from my Samsung Galaxy Tab 3
>
>
> On 9 April, 2015 10:04:41 AM Viktor Dukhovni <ietf-dane at dukhovni.org>
> wrote:
>
>> On Thu, Apr 09, 2015 at 08:40:27AM -0400, John Allen wrote:
>>
>> > When I try "posttls-finger dane.sys4.de" I get the following. I have
>> > emphasized a couple of areas in the following text that cause me some
>> > concern.
>> >
>> > posttls-finger: Connected to dane.sys4.de[194.126.158.134]:25
>>
>> No TLSA records were found. Your DNS resolver is not returning
>> the "AD" bit for this domain. Check /etc/resolv.conf.
>>
>> I get:
>>
>> $ posttls-finger -c dane.sys4.de
>> posttls-finger: using DANE RR: _25._tcp.dane.sys4.de IN TLSA 3 0
>> 1
>> C8:B7:60:93:10:0F:05:3B:95:B5:12:DA:D8:B5:9B:B3:43:02:F7:6B:A8:C0:7E:D8:7F:BF:56:65:BF:05:F1:D1
>> posttls-finger: dane.sys4.de[194.126.158.134]:25: depth=0 matched
>> end entity certificate sha256 digest
>> C8:B7:60:93:10:0F:05:3B:95:B5:12:DA:D8:B5:9B:B3:43:02:F7:6B:A8:C0:7E:D8:7F:BF:56:65:BF:05:F1:D1
>> posttls-finger: dane.sys4.de[194.126.158.134]:25: Matched
>> subjectAltName: dane.sys4.de
>> posttls-finger: dane.sys4.de[194.126.158.134]:25: subjectAltName:
>> sys4.de
>> posttls-finger: dane.sys4.de[194.126.158.134]:25 CommonName
>> dane.sys4.de
>> posttls-finger: dane.sys4.de[194.126.158.134]:25:
>> subject_CN=dane.sys4.de, issuer_CN=StartCom Class 2 Primary
>> Intermediate Server CA,
>> fingerprint=41:B5:70:D5:35:68:72:B2:64:4C:5E:DE:74:52:23:E1:3B:3A:03:07,
>> pkey_fingerprint=E5:CD:96:DD:35:8C:91:30:75:5B:D0:66:47:1D:CD:83:39:9A:D5:CC
>> posttls-finger: Verified TLS connection established to
>> dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> With the first line showing working DNSSEC resolution.
>>
>> > posttls-finger: Untrusted TLS connection established to
>> dane.sys4.de[194.126.158.134]:25: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>
>> As a result, authentication fails, since no CAs are trusted by
>> default, and the default security level is opportunistic "dane"
>> not CA-based "secure".
>>
>> > Certificate verification fails and I wind up with an untrusted
>> connection.
>> > Is this something I did or is there a real problem?
>>
>> Your server's local DNS resolver is not a DNSSEC validating resolver.
>> Or perhaps is not even local.
>>
>> To enable outbound DANE, you need an /etc/resolv.conf with
>> 127.0.0.1 as the only nameserver, and DNSSEC validation
>> via the ICANN root enabled in that resolver0.
>>
>> --
>> Viktor.
>
>
More information about the dane-users
mailing list