Re: [dane] Middlebox DANE validation for HTTPS

"A. Schulze" <> Thu, 06 July 2017 22:06 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1966A126D46 for <>; Thu, 6 Jul 2017 15:06:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 10kQlrrTxm0D for <>; Thu, 6 Jul 2017 15:06:49 -0700 (PDT)
Received: from ( [IPv6:2001:470:77b3:100::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B1778124217 for <>; Thu, 6 Jul 2017 15:06:49 -0700 (PDT)
Received: from [IPv6:2001:470:77b3:50:d151:c5bf:5f64:2f73] (unknown [IPv6:2001:470:77b3:50:d151:c5bf:5f64:2f73]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: by (Postfix) with ESMTPSA id 3x3Wzp34QtzMsDZl for <>; Fri, 7 Jul 2017 00:06:45 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=ybz; t=1499378806; bh=P4Gcg9XsszcR3B2mLYi1829D8A74YcOtKTRW+EReTBM=; h=Subject:To:References:From:Date:In-Reply-To; b=OePXViVqVzuyeefLzsBQZCbFrdMJeGufrtrfgpyPMDPDzAZltLi0JfLylq/KwvOna srbSmdhwywRKC9U4TZfZQd/C3Ghh3LkfHSg6vorQCh7YZ9YbwmyL3EbfAcqJWKMjJk 95uwvx0+UEk/zox/VxTkpqA7gVk+60i7qzpUdzO5KvafoDMCsXq9edoMHwK2rzPZ1f J7CilYqAd07MBt58zayt4IOLA8vhDSNug+gf6RSmlkPjyrZmg5/64yZ6/RIlZH/jFj Hk73ht60O/bOgGYTQxA7qw96b/+7TDP9hHUIrsaSEySVQeeQRZ3StXiDZ+e7UW+3uO ITMdf9ft0UJNQ==
References: <>
From: "A. Schulze" <>
Message-ID: <>
Date: Fri, 7 Jul 2017 00:04:17 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dane] Middlebox DANE validation for HTTPS
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 06 Jul 2017 22:06:52 -0000

Am 06.07.2017 um 21:43 schrieb Andrew McConachie:
> Attached is a presentation I gave at the ICANN 59 DNSSEC Workshop in Johannesburg last week. This is a project I've been working on for a few months and have been successfully running on a LEDE device. It currently has a deployment count of 1, but I'm curious to hear what this mailing list thinks of it.


but that mode of operation could not inform the user/client about a problem. This may increase the support effort.
Users must be aware of such kind of protection. It's really hard to identify "website unavailable" as a DANE validation error...