DANE broken @ addons.mozilla.org?

Simson Garfinkel simsong at acm.org
Wed Oct 14 18:25:20 CEST 2015

> On Oct 13, 2015, at 3:42 PM, Andreas Pothe <mailinglisten+spamtrap at pothe.de> wrote:
> Hi,
> can you confirm that addons.mozilla.org has a broken DANE entry?
> The DNSSEC Validator plugin in Firefox says "no DNSSEC at
> addons.mozilla.org" but "invalid DNSSEC signature".

Correct. There is no DNSSEC.

Test #	Host	IP	Status	Test Description (§ Section)
103	addons.mozilla.org		FAILED	Service hostname must have matching TLSA record
Resolving TLSA records for hostname '_443._tcp.addons.mozilla.org'
SECURE DNS CNAME lookup addons.mozilla.org = addons.dynect.mozilla.net.
102			PASSED	if at any stage of recursive expansion an "insecure" CNAME record is encountered, then it and all subsequent results (in particular, the final result) MUST be considered "insecure" regardless of whether any earlier CNAME records leading to the "insecure" record were "secure". (§2.1.3)
Expanding CNAME addons.mozilla.org to addons.dynect.mozilla.net.
INSECURE DNS A lookup addons.dynect.mozilla.net. =
205	addons.mozilla.org	PASSED	Server must have End Entity Certificate
Fetching EE Certificate for addons.mozilla.org from port 443 via https
306	a		Server EE Certificate does not PKIX Verify
Checking EE Certificate 'addons.mozilla.org' against system anchors
307	a	FAILED	"When name checks are applicable (certificate usage DANE-TA(2)), if the server certificate contains a Subject Alternative Name extension ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- IDs are matched against the client's reference identifiers.... The server certificate is considered matched when one of its presented identifiers ([RFC5280]) matches any of the client's reference identifiers." (§3.2.3)
Hostname addons.mozilla.org does not match EE Certificate Common Name 'addons.mozilla.org'
403	addons.mozilla.org		FAILED	All IP addresses for a host that is TLSA protected must TLSA verify
Validating TLSA records for 0 out of 1 IP addresses found for host addons.mozilla.org
405			FAILED	All DNS lookups must be secured by DNSSEC
404			FAILED	No HTTP DANE test may fail
Were any DANE HTTP tests a hard fail?
Using OpenSSL Version 1.0.2d 9 Jul 2015

> CU
> Andreas

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/mailman/private/dane-users/attachments/20151014/99faa004/attachment-0001.html>

More information about the dane-users mailing list