[net-dns-users] SSL cert on www.net-dns.org

Willem Toorop Willem at NLnetLabs.nl
Sun Jan 13 11:56:45 UTC 2013

Hi Doug,

Op 13-01-13 04:30, Doug Barton schreef:
> Do y'all have anything to do with that site? It gives all kinds of
> warnings in Firefox, like the use of an insecure signature algorithm,
> and the fact that the cert is for *.nlnetlabs.nl.

It also has *.net-dns.org in the "X509v3 Subject Alternative Name" part
of the certificate.

When you have CAcert.org's root certificate in your CA repository, it
validates. At least Debian and Ubuntu have it in the ca-certificates

Also TLSA records confirming the certificate are present in the
net-dns.org zone (which is itself dnssec signed):

$ ldns-dane verify www.net-dns.org 443 dane-validated successfully
2001:7b8:206:1:b0ef:9:: dane-validated successfully

-- Willem

More information about the net-dns-users mailing list