Back to Verisign Labs Tools

Verisign Labs DANE Demonstration

This page and the following links provide a way for you to demonstrate and test The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol. DANE provides a way to authenticate TLS (X.509) certificates using DNSSEC.

In order to make use of this demo, you'll need to install the "DNSSEC/TLSA Validator" Firefox plugin. The best version is currently found at http://people.redhat.com/pwouters/. You can save the .xpi file to disk, go to Tools/Add-ons in Firefox, and then click on the wrench/screwdriver icon to install the add-on from the file. NOTE: the plugin uses libunbound, so make sure it is installed as well.

You can test your browser's DANE support with the following links:

good.dane.verisignlabs.com
There is a valid, signed TLSA record for the certificate of this server.
bad-hash.dane.verisignlabs.com
The TLSA record for this server has an incorrect hash value, although it is correctly signed with DNSSEC.
bad-params.dane.verisignlabs.com
The TLSA record for this server has a correct hash value, incorrect TLSA parameters, and is correctly signed with DNSSEC. NOTE: The current Firefox plugin accepts these TLSA records as valid.
bad-sig.dane.verisignlabs.com
The TLSA record for this server is correct, but the DNSSEC chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation enabled you won't be able to look up the hostname anyway.

References

Legal Notices//Privacy//Repository//Contact Us//Site Map


© 2011-2012 VeriSign, Inc. All rights reserved.
VERISIGN, the VERISIGN logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.