pointless.net  • Blog • Photos • About

The dnssec-validator.cz team released an updated version of their plugin with added support for validating TLSA records, you can get it here for Firefox, Chrome and Internet explorer across multiple platforms and 32 & 64 bit architectures.

No comments yet!

I went to the UK FLOSS unconference at the BCS on Saturday. Quite a few people were interested in DNSSEC so i gave a (hastily) updated version of the the talk I did at EMFCamp.

You can find the slides here

tags: dnssec talks

No comments yet!
September 24, 2013 : Small DNSSEC/TLSA update

I noticed a few days ago that Postfix had TLSA support added.

I also noticed that there's now another TLSA plugin for firefox, DANE Patrol, unfortunately it doesn't seem to work very well :(

No comments yet!
September 13, 2011 : ipv6 nearly done

I've now got ipv6 glue in the roots for pointless.net, and changed to secondary nameservers that are on ipv6, and also do dnssec.

The only thing thats missing is that the blockhosts script (and anti ssh scanner script) dosn't seem to do ipv6 properly, I'll fix it when i get a chance.

I can really recommend the Hurricane Electric tunnel service, it's really straight forward to get running and the certification is a great learning aid.

IPv6 Certification Badge for JasperWallace

No comments yet!
September 7, 2011 : DNSSEC Update

It's running but the lack of secure secondaries is definitely a problem.

There's a more advanced Firefox dnssec validator add-on here, it has a mechanism based on the DANE drafts to stash an ssl cert fingerprint into dns. I've put the records in the pointless.net zone, but not tried the validator, it's for Firefox 4 only.

Chrome has something similar but it appears to be the opposite way round - you store the dnssec chain of trust in your sites ssl cert and chrome can verify it, i'm not sure if that possible with the CACert certificate I'm using.

tags: dnssec

No comments yet!
September 7, 2011 : DNSSEC running, probably.

pointless.net zone is now signed, and the key is in the ISC DLV system.

If you use the DNSSEC Validator Firefox add-on you get a green key on the left of the address bar for domains that have valid, verified dnssec signatures, which is nice.

I'm not 100% sure that pointless.net will always work - the secondaries don't support dnssec signing records, even tho the zones they are serving are signed, I'll have to play around a bit more and if needed change secondaries or see if they can be upgraded.

I'm using the DLV system since afaict easyDNS doesn't yet support taking DS records from clients and publishing them to the tld, I've tried several times to find a registrar that does DNSSEC and lets you just give them the DS records and deal with it - most of the DNSSEC supporting registrars seem to only support DNSSEC when you use there nameservers, which i don't want to do.

Also useful to know is www.dnssec-failed.org it's deliberately broken so you can use it to check that zones with broken signatures do get detected. rhybar.cz and badsign-a.test.dnssec-tools.org are also deliberately broken.

For working domains try ietf.org and the page you are on now.

No comments yet!

Valid HTML 4.01! Valid CSS! ipv6 ready