On Oct 13, 2015, at 3:42 PM, Andreas Pothe <mailinglisten+spamtrap@pothe.de> wrote:Hi,
can you confirm that addons.mozilla.org has a broken DANE entry?
The DNSSEC Validator plugin in Firefox says "no DNSSEC at
addons.mozilla.org" but "invalid DNSSEC signature".
| Test # | Host | IP | Status | Test Description (§ Section) |
|---|---|---|---|---|
| 103 | addons.mozilla.org | FAILED | Service hostname must have matching TLSA record Resolving TLSA records for hostname '_443._tcp.addons.mozilla.org' | |
| SECURE DNS CNAME lookup addons.mozilla.org = addons.dynect.mozilla.net. | ||||
| 102 | PASSED | if at any stage of recursive expansion an "insecure" CNAME record is encountered, then it and all subsequent results (in particular, the final result) MUST be considered "insecure" regardless of whether any earlier CNAME records leading to the "insecure" record were "secure". (§2.1.3) Expanding CNAME addons.mozilla.org to addons.dynect.mozilla.net. | ||
| INSECURE DNS A lookup addons.dynect.mozilla.net. = 63.245.216.132 | ||||
| 205 | addons.mozilla.org | 63.245.216.132 | PASSED | Server must have End Entity Certificate Fetching EE Certificate for addons.mozilla.org from 63.245.216.132 port 443 via https |
| 306 | a | 63.245.216.132 | Server EE Certificate does not PKIX Verify Checking EE Certificate 'addons.mozilla.org' against system anchors | |
| 307 | a | 63.245.216.132 | FAILED | "When name checks are applicable (certificate usage DANE-TA(2)), if the server certificate contains a Subject Alternative Name extension ([RFC5280]), with at least one DNS-ID ([RFC6125]) then only the DNS- IDs are matched against the client's reference identifiers.... The server certificate is considered matched when one of its presented identifiers ([RFC5280]) matches any of the client's reference identifiers." (§3.2.3) Hostname addons.mozilla.org does not match EE Certificate Common Name 'addons.mozilla.org' |
| 403 | addons.mozilla.org | FAILED | All IP addresses for a host that is TLSA protected must TLSA verify Validating TLSA records for 0 out of 1 IP addresses found for host addons.mozilla.org | |
| 405 | FAILED | All DNS lookups must be secured by DNSSEC | ||
| 404 | FAILED | No HTTP DANE test may fail Were any DANE HTTP tests a hard fail? | ||
| Using OpenSSL Version 1.0.2d 9 Jul 2015 | ||||
CU
Andreas