On Tue, Oct 13, 2015 at 09:42:37PM +0200, Andreas Pothe wrote:
Can you confirm that addons.mozilla.org has a broken DANE entry?
No, not DANE, in fact no TLSA records published). Rather, they have DNS nameserver issues:
http://dnsviz.net/d/_443._tcp.addons.mozilla.net/dnssec/
The akamai nameservers are returning non-authoritative NXDOMAIN responses with no SOA record! The responses should be authoritative and have an SOA.
$ dig +nocl +nottl +noall +ans -t ns mozilla.net. | sort mozilla.net. NS ns1-240.akam.net. mozilla.net. NS ns4-64.akam.net. mozilla.net. NS ns5-65.akam.net. mozilla.net. NS ns7-66.akam.net.
== ns1-240.akam.net. == ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16722 ;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;_443._tcp.addons.mozilla.net. IN TLSA 7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG
== ns4-64.akam.net. == ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22618 ;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;_443._tcp.addons.mozilla.net. IN TLSA 7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG
== ns5-65.akam.net. == ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44991 ;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;_443._tcp.addons.mozilla.net. IN TLSA 7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG
== ns7-66.akam.net. == ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11058 ;; flags: qr ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1 ;_443._tcp.addons.mozilla.net. IN TLSA 7ua25hcif8m3f9dn4r67o9jrq23m3es2.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 7VVRF81RVM4D4L0GND2F4P6GSI7J5U3O k9eqs0i0lqadl5cpqgag41injcinasl5.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KBFQEIE3OI3RIEOP6DPO0ITJBJPV7Q4B CNAME RRSIG kcer05tvt52vv1u1nen7sb239uiocqth.mozilla.net. NSEC3 1 0 1 D11356D2D2F17989 KITA65J7E621QLTTVMM8PJ0L92MQ82AP A RRSIG