[net-dns-users] SSL cert on www.net-dns.org

[Willem Toorop]

Hi Doug,

Op 13-01-13 04:30, Doug Barton schreef:
> Do y'all have anything to do with that site? It gives all kinds of
> warnings in Firefox, like the use of an insecure signature algorithm,
> and the fact that the cert is for *.nlnetlabs.nl.

It also has *.net-dns.org in the "X509v3 Subject Alternative Name" part
of the certificate.

When you have CAcert.org's root certificate in your CA repository, it
validates. At least Debian and Ubuntu have it in the ca-certificates
package.

Also TLSA records confirming the certificate are present in the
net-dns.org zone (which is itself dnssec signed):

$ ldns-dane verify www.net-dns.org 443
213.154.224.135 dane-validated successfully
2001:7b8:206:1:b0ef:9:: dane-validated successfully

-- Willem