DANE broken @ addons.mozilla.org?
Simson Garfinkel
simsong at acm.org
Wed Oct 14 18:25:20 CEST 2015
> On Oct 13, 2015, at 3:42 PM, Andreas Pothe <mailinglisten+spamtrap at pothe.de> wrote:
>
> Hi,
>
> can you confirm that addons.mozilla.org has a broken DANE entry?
> The DNSSEC Validator plugin in Firefox says "no DNSSEC at
> addons.mozilla.org" but "invalid DNSSEC signature".
Correct. There is no DNSSEC.
Test # Host IP Status Test Description (§ Section)
103 addons.mozilla.org FAILED Service hostname must have matching TLSA record
Resolving TLSA records for hostname '_443._tcp.addons.mozilla.org'
SECURE DNS CNAME lookup addons.mozilla.org = addons.dynect.mozilla.net.
102 PASSED if at any stage of recursive expansion an "insecure" CNAME record is encountered, then it and all subsequent results (in particular, the final result) MUST be considered "insecure" regardless of whether any earlier CNAME records leading to the "insecure" record were "secure". (§2.1.3)
Expanding CNAME addons.mozilla.org to addons.dynect.mozilla.net.
INSECURE DNS A lookup addons.dynect.mozilla.net. = 63.245.216.132
205 addons.mozilla.org 63.245.216.132 PASSED Server must have End Entity Certificate
Fetching EE Certificate for addons.mozilla.org from 63.245.216.132 port 443 via https
306 a 63.245.216.132 Server EE Certificate does not PKIX Verify
Checking EE Certificate 'addons.mozilla.org' against system anchors
307 a 63.245.216.132 FAILED "When name checks are applicable (certificate usage DANE-TA(2)), if the server certificate contains a Subject Alternative Name extension ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- IDs are matched against the client's reference identifiers.... The server certificate is considered matched when one of its presented identifiers ([RFC5280]) matches any of the client's reference identifiers." (§3.2.3)
Hostname addons.mozilla.org does not match EE Certificate Common Name 'addons.mozilla.org'
403 addons.mozilla.org FAILED All IP addresses for a host that is TLSA protected must TLSA verify
Validating TLSA records for 0 out of 1 IP addresses found for host addons.mozilla.org
405 FAILED All DNS lookups must be secured by DNSSEC
404 FAILED No HTTP DANE test may fail
Were any DANE HTTP tests a hard fail?
Using OpenSSL Version 1.0.2d 9 Jul 2015
>
> CU
> Andreas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/mailman/private/dane-users/attachments/20151014/99faa004/attachment-0001.html>
More information about the dane-users
mailing list