[Open Crypto Project] #30: https://cryptech.is/ throws error with NIST DANE tested
Open Crypto Project
trac at cryptech.is
Thu May 14 00:07:15 UTC 2015
#30: https://cryptech.is/ throws error with NIST DANE tested
-----------------------+-----------------
Reporter: randy | Owner: sra
Type: defect | Status: new
Priority: minor | Milestone:
Component: sysadmin | Version:
Resolution: | Keywords:
Blocked By: | Blocking:
-----------------------+-----------------
Comment (by sra):
> it's scott rose's tool, so i asked him to take a look at the ticket.
OK.
> fwiw, https://psg.com/ and https://archive.psg.com/ pass the tool.
Ack.
> note that it had both
> {{{
> _443._tcp TLSA 3 1 1
> 542E161A92C896C88FF5EE6E8F763536ACCA3E52266D35897FDE56104BE6A526
> *._tcp CNAME ca.hactrn.net.
> }}}
> which i admit to not underdstanding. commented out the second and
> waiting for it to propagate before retesting.
Probably a holdover from when bikeshed was the one and only server.
Very much doubt it has anything to do with NIST's issue as there's
already an explicit entry for port 443.
You might want to check that commenting out the wildcard didn't break
DANE for SMTP; if there wasn't an explicit _25._tcp.cryptech.is CNAME
pointing to ca.hactrn.net, it did, so you either need to put the
wildcard back or change the "*" to "_25".
--
Ticket URL: <https://trac.cryptech.is/ticket/30#comment:4>
Open Crypto Project <https://wiki.cryptech.is/>
More information about the Ticket-BCC
mailing list