7 Sep
2015
7 Sep
'15
10:46 p.m.
On Mon, Sep 07, 2015 at 08:10:38PM +0000, Viktor Dukhovni wrote:
And yet the validator claims the TLSA RRset is "bogus", reports failure:
http://ec2.simson.net/dane_check.cgi?host=openssl.orgBOGUS DNS CNAME lookup _25._tcp.mta.openssl.org. = wildcard._dane.openssl.org.
Something's not quite right here...
The issue seems to be systemic:
http://ec2.simson.net/dane_check.cgi?host=nlnetlabs.nl
BOGUS DNS CNAME lookup _25._tcp.nlnetlabs.nl = 3.1.1._dane-both.nlnetlabs.nl.
http://ec2.simson.net/dane_check.cgi?host=spodhuis.org
BOGUS DNS CNAME lookup _25._tcp.mx.spodhuis.org. = _globnix-tlsa.spodhuis.org.
http://ec2.simson.net/dane_check.cgi?host=wizmail.org
BOGUS DNS CNAME lookup _25._tcp.wizmail.org. = _cert301.wizmail.org.
All three are in fact fine. So the handling of TLSA CNAMEs seems to be broken.
--
Viktor.