search

os3sec / Extended-DNSSEC-Validator

Firefox add-on for verification of x509 certificates using DNSSEC as bootstrap mechanism
http://os3sec.org
15 stars 9 forks source link

Support domains secured with DLV #14

Open demize opened 12 years ago

demize commented 12 years ago

I've had to secure my domains with ISC's DLV, since my registrar doesn't support sending DS records to the com zone and one of my domains is a .ca domain. (demize95.com is one of mine and nohats.ca, while not being mine, does a good example of showing the problem with not supporting DLV.) CZ.NIC's validator reports them as good, but with this, I just get "This domain is not signed by DNSSEC and can't be validated." even though dig gives headers like this:

root@ns:~/sshfp# dig demize95.com +dnssec @149.20.64.20                         
; <<>> DiG 9.8.1-P1 <<>> demize95.com +dnssec @149.20.64.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44178
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096

(cut off since this is the relevant information)

I'm using those nameservers (OARC's open DNSSEC validating nameservers) on my computer (actually, they're the nameservers my router gives out), so anything that validates DNSSEC should validate my domains, but your tool doesn't for some reason.

JasperWallace commented 12 years ago

There is a patched version of the addon here:

http://people.redhat.com/pwouters/

that supports dlv...