bind-9.9.2-P1 incompatible?

[zhovner]

Hello, it seems that chain.py is incompatible with dnssec-signzone from bind-9.9.2-P1 package.

Steps that i do:

$ python ./gentlsa.py ./pubkey.pem 
_443._tcp.EXAMPLE.COM. 60 IN TYPE52 \# 35 030101fa2293ce6a9948f474d768a51cf1b86f03fe1a26d1e105dc50d809a2e90c9cc9

Put this string into unsigned zone file and sign zone with dnssec-signzone.
dnssec-signzone transforn TYPE52 string into this:

$ dig -t TLSA _443._tcp.zhovner.com
....
;; ANSWER SECTION:
_443._tcp.zhovner.com.  60      IN      TLSA    3 1 1 FA2293CE6A9948F474D768A51CF1B86F03FE1A26D1E105DC50D809A2 E90C9CC9

Try to make chain:

$ python ./chain.py _443._tcp.zhovner.com chain
No good TLSA records at _443._tcp.zhovner.com.
Traceback (most recent call last):
  File "./chain.py", line 477, in <module>
    main()
  File "./chain.py", line 461, in main
    zones = buildChain(target)
  File "./chain.py", line 240, in buildChain
    assert(False)
AssertionError

My dig version also 9.9.2-P1.

You can explore it:

dig -t TLSA @ns.zhovner.com _443._tcp.zhovner.com

[danyork]

I can confirm that chain.py doesn't seem to recognize when a TLSA record is in a zone. I tried with several of the sites known to have valid TLSA records that are listed here:

http://www.internetsociety.org/deploy360/resources/dane-test-sites/

For instance, I can see a valid TLSA record if I do:

$ dig +dnssec TLSA _443._tcp.good.dane.verisignlabs.com

However, when I try to run chain.py I get the same messages reported here:

$ python chain.py _443._tcp.good.dane.verisignlabs.com vschain
No good TLSA records at _443._tcp.good.dane.verisignlabs.com.
Traceback (most recent call last):
  File "chain.py", line 477, in <module>
    main()
  File "chain.py", line 461, in main
    zones = buildChain(target)
  File "chain.py", line 240, in buildChain
    assert(False)
AssertionError

Separately I raised issue #5 to document the fact that the example for chain.py shown in README.md doesn't work correctly on my system.

[zhovner]

I also get this:

but https://dnssec.imperialviolet.org shows valid certificate in last Chrome.

[agl]

You're correct that BIND's recent support for the TLSA presentation format breaks chain.py.

Chrome support for this feature has actually been removed due to lack of interest. I'll update chain.py if you have a need but this code is mostly for historical interest. I'll update the README in just a second to reflect this. Sorry for not doing that previously but I didn't think anyone ever looked at this!

(https://dnssec.imperialviolet.org may continue to work due to CAA record support still existing in some older versions of Chrome, but I think that's gone in the next stable release.)

[zhovner]

If I understand correctly Chrome support of DANE certificates will be remove after RFC published and all work done?
I don't get the logic.

[agl]

The CAA support existed for quite some time with essentially no use I'm afraid. It was also a large amount of code in a security critical area of the code and I'm afraid that the cost/benefit wasn't positive. That's not to say that it couldn't come back in the future, but the idea seemed to be before its time at the moment.

[danyork]

Dang... sorry to hear that the CAA support is being removed from Chrome... particularly when we're at a point where many of us are looking for full DANE support within Chrome and all the other browsers.

I think you are correct that the idea was before its time. Right now we're starting to get the tools out there for people to publish TLSA records and are encouraging them to do so... so now we could use a browser that performed TLSA/DANE validation to be able to show people how it works.

[zhovner]

It is evident that DANE will kill SSL certification business. The development suspension may result from pressure coming from CA's.

[frillip]

Still broken in BIND 9.9.3-ESV (released today).