On Oct 13, 2015, at 3:42 PM, Andreas Pothe mailinglisten+spamtrap@pothe.de wrote:
Hi,
can you confirm that addons.mozilla.org has a broken DANE entry? The DNSSEC Validator plugin in Firefox says "no DNSSEC at addons.mozilla.org" but "invalid DNSSEC signature".
Correct. There is no DNSSEC.
Test # Host IP Status Test Description (§ Section) 103 addons.mozilla.org FAILED Service hostname must have matching TLSA record Resolving TLSA records for hostname '_443._tcp.addons.mozilla.org' SECURE DNS CNAME lookup addons.mozilla.org = addons.dynect.mozilla.net. 102 PASSED if at any stage of recursive expansion an "insecure" CNAME record is encountered, then it and all subsequent results (in particular, the final result) MUST be considered "insecure" regardless of whether any earlier CNAME records leading to the "insecure" record were "secure". (§2.1.3) Expanding CNAME addons.mozilla.org to addons.dynect.mozilla.net. INSECURE DNS A lookup addons.dynect.mozilla.net. = 63.245.216.132 205 addons.mozilla.org 63.245.216.132 PASSED Server must have End Entity Certificate Fetching EE Certificate for addons.mozilla.org from 63.245.216.132 port 443 via https 306 a 63.245.216.132 Server EE Certificate does not PKIX Verify Checking EE Certificate 'addons.mozilla.org' against system anchors 307 a 63.245.216.132 FAILED "When name checks are applicable (certificate usage DANE-TA(2)), if the server certificate contains a Subject Alternative Name extension ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- IDs are matched against the client's reference identifiers.... The server certificate is considered matched when one of its presented identifiers ([RFC5280]) matches any of the client's reference identifiers." (§3.2.3) Hostname addons.mozilla.org does not match EE Certificate Common Name 'addons.mozilla.org' 403 addons.mozilla.org FAILED All IP addresses for a host that is TLSA protected must TLSA verify Validating TLSA records for 0 out of 1 IP addresses found for host addons.mozilla.org 405 FAILED All DNS lookups must be secured by DNSSEC 404 FAILED No HTTP DANE test may fail Were any DANE HTTP tests a hard fail? Using OpenSSL Version 1.0.2d 9 Jul 2015
CU Andreas