test message

Bjørn Mork bjorn at mork.no
Wed Apr 11 20:15:12 UTC 2018

/dev/rob0 <rob0 at gmx.co.uk> writes:

> If this doesn't arrive on the list right away it might mean that 
> ISC's TLSA records were not updated yet for the new certificates. :)

Does not look like it to me:

bjorn at canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
        Usage:                          3 (End-Entity [DANE-EE])
        Selector:                       0 (Certificate [Cert])
        Matching Type:                  1 (SHA-256)
        Certificate for Association:    9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
Got the following IP:
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (

They should probably consider the good advice found here:

and combine that with Viktors recommendations given here:


More information about the dhcp-users mailing list