Are you experimenting with using the DANE protocol to provide an additional layer of security to your TLS/SSL certificates via DNSSEC? Would you like to easily test that your TLSA record needed for DANE works correctly?
If so, the folks at the US National Institute of Standards and Technology (NIST) now have a new tool for testing TLSA records and DANE support. All you do is go to:
https://www.had-pilot.com/dane/danelaw.html
and in the simplest form just enter in the URL of the site you want to test. Here is an example of what happened when I entered https://www.freebsd.org/ (click image to see larger version):
The site basically tests that you have your TLSA record correctly configured and that it matches the TLS/SSL certificate you are using with your web server.
Now, if you don’t have a site with a TLSA record but want to see how the tool works, the NIST tool helpfully lets you choose from one of the DANE test sites we list here on Deploy360. You can also connect to the NIST “DANE Reference site” to explore different usage types.
In an email message to several public mailing lists, tool author Stephen Nightingale at NIST indicated that his latest version of this tool was now offering the choice of testing from clients based either on TLSlite or GnuTLS. He goes on to note:
Mine was one of the ‘DANE-in-the-App’ sites that Viktor Dukhovni reviewed, and he kindly gave an extensive critique. Many of his points have been addressed. A few things still to clear up:
The differences between TLSlite and GnuTLS clients highlight the fact that there are unresolved interoperability issues among TLS implementations. It seems reasonable that TLS interoperability testing be instituted as pre-requisite to DANE testing. The development of a TLS Interoperability test suite is therefore on our ‘to-do’ list. I look forward to seeing the newly upgraded OpenSSL client with added DANE. It is quite possible that as an interim step before its appearance I will add this DANE-in-the-App implementation to pyOpenSSL and/or Twisted.
Thanks to Stephen and the team at NIST for making this tool public and we hope that it will help those of you working with DANE to test out your implementations.
Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.
We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,…
Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map…
It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a…
About The Author
More Stories
Community Snapshot—May
From Refugee to Digital Leader: How Justin Is Helping to Connect Rhino Camp
The World Cup of Internet Resilience