Re: [dane] Two additions to draft-york-dane-deployment-observations-00

Paul Wouters <paul@nohats.ca> Mon, 10 November 2014 05:36 UTC

Return-Path: <paul@nohats.ca>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8EF1A890D for <dane@ietfa.amsl.com>; Sun, 9 Nov 2014 21:36:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.594
X-Spam-Level:
X-Spam-Status: No, score=-2.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.594] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvNHK556xKab for <dane@ietfa.amsl.com>; Sun, 9 Nov 2014 21:36:43 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EDD61A040B for <dane@ietf.org>; Sun, 9 Nov 2014 21:36:43 -0800 (PST)
Received: from bofh.nohats.ca (bofh.nohats.ca [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id 56A4D817C1; Mon, 10 Nov 2014 00:36:42 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1415597802; bh=C5IQE9Kg417vlQWOyPTBqbt1LNOEhLoQbErXWPFb02o=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=eAsIPHebGcYv+/u1MSzFvse1nAZy5EXdHDhKqLd0bqLyY+HbXSb31qK6hVKjrROZp KeaSqLxz+TbYmlnrhrbDdKKshNURy2ZaghbcsoFdJotwKRR4ycby142NndtksJpm1z nkMxAaEkY4OzLdcjONtsEwPON3M4cg7J6DKuX2tM=
Received: from localhost (paul@localhost) by bofh.nohats.ca (8.14.7/8.14.7/Submit) with ESMTP id sAA5afsA012071; Mon, 10 Nov 2014 00:36:41 -0500
X-Authentication-Warning: bofh.nohats.ca: paul owned process doing -bs
Date: Mon, 10 Nov 2014 00:36:41 -0500 (EST)
From: Paul Wouters <paul@nohats.ca>
To: Stephane Bortzmeyer <bortzmeyer@nic.fr>
In-Reply-To: <20141109035925.GA20946@laperouse.bortzmeyer.org>
Message-ID: <alpine.LFD.2.10.1411100035410.11243@bofh.nohats.ca>
References: <20141107232915.GA31913@laperouse.bortzmeyer.org> <6DB8CC95-E47A-4C0B-BC0B-7D9A4F8F65B5@edvina.net> <20141109035925.GA20946@laperouse.bortzmeyer.org>
User-Agent: Alpine 2.10 (LFD 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-7; format=flowed
Content-Transfer-Encoding: 8BIT
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/q2d3ynKCt2gYpTV8g-0lxB7BiwU
Cc: dane WG list <dane@ietf.org>
Subject: Re: [dane] Two additions to draft-york-dane-deployment-observations-00
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Nov 2014 05:36:45 -0000

On Sat, 8 Nov 2014, Stephane Bortzmeyer wrote:

> I was not talking about DNSsec monitoring (I already use it, otherwise
> I would never have deployed DNSsec in production for serious domains)
> but about DANE monitoring: get the TLSA record, open a TLS connection,
> get the certificate, check that it is consistent with what the TLSA
> record announces.

https://www.dnssec-validator.cz/

DNSSEC/TLSA Validator is a web browser add-on which allows you to check
the existence and validity of DNS Security Extensions (DNSSEC) records
and Transport Layer Security Association (TLSA) records related to
domain names. Results of these checks are displayed by using icons and
information texts in the page’s address-bar or browser tool-bar.
Currently, Internet Explorer (IE), Mozilla Firefox (MF), Google
Chrome/Chromium (GC), Opera (OP), Apple Safari (AS) are supported.