Verisign Labs DANE Demonstration

This page and the following links provide a way for you to demonstrate and test The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol. DANE provides a way to authenticate TLS (X.509) certificates using DNSSEC.

In order to make use of this demo, you should install the "DNSSEC/TLSA Validator" Firefox plugin. The best version is currently found at https://www.dnssec-validator.cz/. It works with all popular browsers.

You can test your browser's DANE support with the following links. Note that these are self-signed X.509 certificates. Your browser should pop up a window explaining that the certificate could not be validated.

good.dane.verisignlabs.com
There is a valid, signed TLSA record for the certificate of this server.
bad-hash.dane.verisignlabs.com
The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC.
bad-params.dane.verisignlabs.com
The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid.
bad-sig.dane.verisignlabs.com
The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway.

References