Verisign Labs DANE Demonstration
This page and the following links provide a way for you to demonstrate
and test The DNS-Based
Authentication of Named Entities (DANE) Transport Layer Security (TLS)
Protocol. DANE provides a way to authenticate TLS (X.509)
certificates using DNSSEC.
In order to make use of this demo, you'll need to install the "DNSSEC/TLSA Validator"
Firefox plugin. The best version is currently found at http://people.redhat.com/pwouters/.
You can save the .xpi file to disk, go to Tools/Add-ons in Firefox,
and then click on the wrench/screwdriver icon to install the add-on from
the file. NOTE: the plugin uses libunbound, so make sure it is installed as well.
You can test your browser's DANE support with the following links:
- There is a valid, signed TLSA record for the certificate of
- The TLSA record for this server has an incorrect hash value,
although it is correctly signed with DNSSEC.
- The TLSA record for this server has a correct hash value,
incorrect TLSA parameters, and is correctly signed with DNSSEC.
NOTE: The current Firefox plugin accepts these TLSA records
- The TLSA record for this server is correct, but the DNSSEC
chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation
enabled you won't be able to look up the hostname anyway.