[Open Crypto Project] #30: https://cryptech.is/ throws error with NIST DANE tested

Open Crypto Project trac at cryptech.is
Thu May 14 00:07:15 UTC 2015


#30: https://cryptech.is/ throws error with NIST DANE tested
-----------------------+-----------------
  Reporter:  randy     |      Owner:  sra
      Type:  defect    |     Status:  new
  Priority:  minor     |  Milestone:
 Component:  sysadmin  |    Version:
Resolution:            |   Keywords:
Blocked By:            |   Blocking:
-----------------------+-----------------

Comment (by sra):

 >  it's scott rose's tool, so i asked him to take a look at the ticket.

 OK.

 >  fwiw, https://psg.com/ and https://archive.psg.com/ pass the tool.

 Ack.

 >  note that it had both
 >  {{{
 >  _443._tcp               TLSA    3 1 1
 >  542E161A92C896C88FF5EE6E8F763536ACCA3E52266D35897FDE56104BE6A526
 >  *._tcp                  CNAME   ca.hactrn.net.
 >  }}}
 >  which i admit to not underdstanding.  commented out the second and
 >  waiting for it to propagate before retesting.

 Probably a holdover from when bikeshed was the one and only server.
 Very much doubt it has anything to do with NIST's issue as there's
 already an explicit entry for port 443.

 You might want to check that commenting out the wildcard didn't break
 DANE for SMTP; if there wasn't an explicit _25._tcp.cryptech.is CNAME
 pointing to ca.hactrn.net, it did, so you either need to put the
 wildcard back or change the "*" to "_25".

--
Ticket URL: <https://trac.cryptech.is/ticket/30#comment:4>
Open Crypto Project <https://wiki.cryptech.is/>



More information about the Ticket-BCC mailing list