test message
Bjørn Mork
bjorn at mork.no
Wed Apr 11 20:15:12 UTC 2018
/dev/rob0 <rob0 at gmx.co.uk> writes:
> If this doesn't arrive on the list right away it might mean that
> ISC's TLSA records were not updated yet for the new certificates. :)
Does not look like it to me:
bjorn at canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
Usage: 3 (End-Entity [DANE-EE])
Selector: 0 (Certificate [Cert])
Matching Type: 1 (SHA-256)
Certificate for Association: 9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
Got the following IP: 149.20.1.60
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (149.20.1.60)
They should probably consider the good advice found here:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
and combine that with Viktors recommendations given here:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
Bjørn
More information about the dhcp-users
mailing list