Saturday, February 1, 2014

DNSSEC/DANE/TLSA Browser Add-ons

The folks at CZ.NIC (the operators of the Czech Republic's country-code top level domain: .cz) have created a set of web browser add-ons to perform DNSSEC/DANE/TLSA validation. You can read about them and download them from their website:

I installed the Firefox web browser plugin and did some quick tests of them on my own website. The plugin installs two new icons on the right side of the browser's location (URL) bar. The first with a key on it shows information about whether the domain name for the website has a valid DNSSEC signature associated with it. The second icon with a lock on it shows information about whether the TLS certificate of the website can be authenticated with a DANE TLSA record. Here are screenshots with my own website ( ).

In this first screenshot (below), I clicked on the key icon, and it reports that the ''  domain name has a valid DNSSEC signature.

In the next screenshow (below), I clicked on the lock icon, and it reports that the certificate for has been successfully authenticated by means of a signed TLSA record.

In this case, since this is an HTTPS connection at the standard port (TCP port 443), the plugin looked for the TLSA record at the domain name ""

    $ dig TLSA +noall +answer
   [...] 7200 IN TLSA 3 0 1 (
                    25B267A1D92F0410890B ) 7200 IN RRSIG TLSA 8 5 7200 (
                    20140217205026 20140118205010 14703
                    rK3w8r6tdNF4gXqIM3sQlz9gPY/WOu0zxjezaIk= )

Below is another screenshot for In this case, the second icon has a cross marked on it, meaning that no TLSA record was found for this site. Apparently, the IETF is not yet eating its own dogfood. Although see this short slide deck from IETF'87 - there appears to be a proposal to do so.

There are a few configuration options that can be set for the add-on. Here is a view of the settings window:

The plug-in appears to do its own DNS resolution (and validation) by default. But you can also choose to use DNS resolvers configured for your system, or a customer resolver such as the Google public resolver (

If you need help creating a TLSA record for your website, I have a web based tool available here:

One thing I should mention, in case you're looking at the configuration of my website: does not today have a secure delegation (i.e. DS record) published in its parent zone. This is because the registrar I use, Network Solutions, still cannot process requests to install DS records. I did quick check on their website (again) to see if anything's changed. Doesn't appear so:

Instead, I've had DLV record published in the ISC DLV Registry. But there are several big resolver services, like Google DNS, and Comcast, that do not perform lookaside validation, so it's probably time to switch registrars. If anyone has suggestions for competent DNSSEC enabled registrars (with registrar-lock support), I'd be happy to receive them. I hope to make the switch soon.

Dan York from ISOC also has an article on these addons here. (I started writing this before seeing his!)

--Shumon Huque

Addendum (May 2014): my domain now has a secure delegation from .COM.