7 Sep
2015
7 Sep
'15
10:10 p.m.
On Mon, Sep 07, 2015 at 03:47:27PM -0400, Simson Garfinkel wrote:
Thanks. I've fixed the sequencing issue.
There may also be some DNSSEC issues.
The DNS for the TLSA records of openssl.org is fine, modulo a minor inconsistency of NS RRs at the delegation from .org vs. the zone apex.
http://dnsviz.net/d/_25._tcp.mta.openssl.org/dnssec/
And yet the validator claims the TLSA RRset is "bogus", reports failure:
http://ec2.simson.net/dane_check.cgi?host=openssl.org
BOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = wildcard._dane.openssl.org.
Something's not quite right here...
--
Viktor.