Re: [dane] NIST DANE Tester Announcement

Bry8 Star <> Thu, 07 November 2013 12:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5F9B011E814D for <>; Thu, 7 Nov 2013 04:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_46=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 61jxl1Q2f2bh for <>; Thu, 7 Nov 2013 04:03:04 -0800 (PST)
Received: from ( [IPv6:2002:52dd:6399::1]) by (Postfix) with ESMTP id BC72511E813D for <>; Thu, 7 Nov 2013 04:02:47 -0800 (PST)
Received: from [] (diserzione []) (Authenticated sender: by localhost (Postfix) with ESMTPSA id 772F31811B0 for <>; Thu, 7 Nov 2013 12:02:41 +0000 (UTC)
X-DKIM: OpenDKIM Filter v2.6.8 772F31811B0
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=stigmate; t=1383825764; bh=8GOnREcBrSpMqF67ssz+U7vPn7VD6GmqKVatiUtMOPQ=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=nzZ51TKcYOW5s95826JaToCsaiOtz++73p0kbtjW1h6RW+DdU/TA0JeNycKZTRdCV RJG39dlChNFuBFkJ+bX/8RcF7w0UhoZJX1JFVc1sgprTx5xedX8S27hTjgDd4v7faS JtcfX/alDgW90dX1YrySGzpVdcvYHsVssqf5FMKU=
Message-ID: <>
Date: Thu, 07 Nov 2013 04:05:32 -0800
From: Bry8 Star <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:24.0) Gecko/20100101 Thunderbird/24.1.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [dane] NIST DANE Tester Announcement
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 07 Nov 2013 12:03:05 -0000

Hash: SHA512



Will it be possible to add another textbox/input-field in this
tester-site, for the DANE-signed domain-name that will be tested, to
allow upload of a pem or crt or cer file which will be used with the
HTTPS Web-Server, or with other scheme based server ? or a textbox
to "paste" the cert or cert-chain code from such file.  So that,
test can show result info, by ruling-out that, a TLS/SSL cert or
cert-chain used by the DANE-signed site, was not present in
visitor's/client side web-browser/OS.

My understanding is, such will allow to really TEST the DANE/TLSA
"Usage" 2 and 3 cases.

If you do not have domain owner's (TLSA "Usage" case 2's or 3's)
TLS/SSL cert or cert-chain file, then will not your test-result
always fail for those TWO "Usage" cases ?

- - - - - -

For users to test DANE+DNSSEC from their own location/computer,
mentioned in below is one (or two in long shot) option(s), out of
few other options:

If a local full DNSSEC supported DNS-Server or DNS-Resolver software
is present (for more accurate tests) in local computer or local
(trusted) LAN, or in (local) VM.

Then Mozilla Firefox, upto v24.0, (or other firefox/gecko/XUL-runner
based web-browsers, like: GNU IceCat, Iceweasel, etc), can have
partial DANE awareness, by loading the "Extended DNSSEC Validator"
("EDV", a firefox addon/extension from, this addon helps
to display info/icon related to DANE/TLSA "Usage" 2 & 3, but no
support for Usage 0 or 1 yet, this addon also has DNSSEC awareness
and can display info related to DNSSEC authentications, it can also
display info on SSL/TLS cert verification (and certificate chain
verification), etc.

But, EDV v0.5 (mozilla), v0.6 (github) or v0.8 (github) none worked
on Firefox v25.0 or later, last tested on Nov 5, 2013.  Based on EDV
author's response, it seems, he is not interested now, in continuing
developing anymore.

And, developer/dev-group of "DNSSEC-Validator" (another Firefox
addon, from CZ.NIC) said on mailing list, that they will add support
for DANE from next month.  Currently it supports displaying only
DNSSEC (except DANE) related info/icon.

- - Bright Star.

Received from Stephen Nightingale, on 2013-11-06 8:58 AM:
> For those DANEs who are in Vancouver, you can talk to Scott Rose or
> Doug Montgomery about this. Doug will be at the informal DANE lunch
> tomorrow.
> ========
> NIST has developed a test system for the RFC 6698 DANE protocol.
> DANE seeks to verify PKIX certificate based Transport Layer Security
> (RFC 5246 TLS) connections using the Domain Name System as secured
> by DNSSEC.
> The NIST DANE test system has three modes of operation:
> - Test your DANE enabled site:
>    Enter the URL of a site for which a DANE TLSA resource record is
> provisioned. The system will negotiate the connection, verify with
> DANE and get the web page - or provide failure diagnostics.
> - A reference test set to test your browser in response to all
> possible DANE configurations.
> - If your browser is NOT DANE enabled, a reference test set to test
> a DANE client's response to all possible configurations and return
> the results to your browser.
> The site is up and available for testing - But it is still early
> days and there may be occasional outages. Please be patient and/or
> let us know.
> Stephen Nightingale, NIST
> HAD Pilot Program
> _______________________________________________
> dane mailing list