retrieve TLSA record also if it is not secured by DNSSEC

Elmar Stellnberger estellnb at gmail.com
Thu Feb 13 13:48:11 UTC 2020


For Firefox they do intentionally not fix the flaw that you can not
configure server certificates which use HSTS:
https://bugzilla.mozilla.org/show_bug.cgi?id=1606802. I suspect them
being paid by intelligence because otherwise they would not forcefully
implement a bug like this (previous versions of FF were good). I do
not know how the situation is with wget and curl but the fact that you
can not set a server certificate by a command line switch at all
points in the same direction. Why are there dozens of switches to
configure certification authorities but not a single switch for a
server certificate then? The way things are now all of these projects
are not trustworthy all together.

2020-02-12 20:57 GMT+01:00, Paul Wouters <paul at nohats.ca>:
> On Wed, 12 Feb 2020, Elmar Stellnberger via Unbound-users wrote:
>
>> hash-slinger's "tlsa" command? I have never heard of it. I just have the
>> libunbound library here. I do not even have the unbound-host executable
>> here
>> which you mentioned in my previous mail.
>
> https://github.com/letoams/hash-slinger
>
>> The atea tool I am already offering for download is something like a light
>>
>> weight curl or wget for https/DANE without html support. It can be used to
>>
>> download files though.
>
> Oh I see. That is different then. The tlsa command is used to generate
> or verify certificates with their DNSSEC TLSA record entries. It
> supports both websites and mailservers.
>
> A tool that adds curl/wget support for TLSA is cool. although cooler
> would be if curl/wget get native support of course :) Maybe Viktor
> knows more about curl with openssl/tlsa support?
>
> Paul
>


More information about the Unbound-users mailing list