bjorn at mork.no
Wed Apr 11 20:15:12 UTC 2018
/dev/rob0 <rob0 at gmx.co.uk> writes:
> If this doesn't arrive on the list right away it might mean that
> ISC's TLSA records were not updated yet for the new certificates. :)
Does not look like it to me:
bjorn at canardo:~$ tlsa -dv lists.isc.org
Received the following record for name _443._tcp.lists.isc.org.:
Usage: 3 (End-Entity [DANE-EE])
Selector: 0 (Certificate [Cert])
Matching Type: 1 (SHA-256)
Certificate for Association: 9c4e7241418a0580e130c127562a5934343640bd9863109be1d0cb1fd3d12a38
This record is valid (well-formed).
Attempting to verify the record with the TLS service...
Unable to resolve lists.isc.org.: Unsuccessful DNS lookup or no data returned for rrtype AAAA (28).
Got the following IP: 22.214.171.124
Did set servername lists.isc.org
FAIL (Usage 3 [DANE-EE]): Certificate offered by the server does not match the TLSA record (126.96.36.199)
They should probably consider the good advice found here:
and combine that with Viktors recommendations given here:
More information about the dhcp-users