DNS-OARC DANE/TLSA Demonstration
This page and the following links provide a way for you to demonstrate
and test The DNS-Based
Authentication of Named Entities (DANE) Transport Layer Security (TLS)
Protocol. DANE/TLSA provides a way to authenticate TLS (X.509)
certificates using DNSSEC.
In order to make use of this demo, you should install the "DNSSEC/TLSA Validator"
Firefox plugin. The best version is currently found at https://www.dnssec-validator.cz/.
It works with all popular browsers.
You can test your browser's DANE/TLSA support with the following links. Note that these are
self-signed X.509 certificates. Your browser should pop up a window explaining that the
certificate could not be validated.
- There is a valid, signed TLSA record for the certificate of
- The TLSA record for this server has an incorrect hash value,
although it is correctly signed with DNSSEC.
- The TLSA record for this server has a correct hash value,
incorrect TLSA parameters, and is correctly signed with DNSSEC.
NOTE: The current Firefox plugin accepts these TLSA records
- The TLSA record for this server is correct, but the DNSSEC
chain-of-trust is broken and/or has a bad signature. NOTE: If you have validation
enabled you won't be able to look up the hostname anyway.