and DNSSec


I am using the DNSSec Validator ( in Firefox to check that I am connected to the right server.
Of course, there are still a lot of domains that are not secured by DNSsec yet. But does NOT belong to them, seems to have an DNSSec entry. But this entry seems not to be valid.

At least the validator shows a symbol that means:
“For an existing domain name this means that this domain name is secured by DNSSEC but an invalid domain name signature has been detected. For a non-existent domain name it means that the parent domain is secured by DNSSEC but the received non-existence response does not contain a valid signature. In both cases this may signalise a domain name spoofing attempt.”

In addition, the plugin warns:
“For an existing domain name this means that the DANE protocol verification of remote server’s certificate for this domain name failed. The certificate does not correspond to the TLSA record which is secured by DNSSEC technology. This can be caused by trying to connect to an untrusted remote server or an invalid server certificate.”

If the DNSSec signatures are not maintained, it would be - maybe better - to remove them completely. This prevents wrong expectations.

I hope this is the right forum to address this. If not, please excuse and feel free to move it elsewhere!


I think you may have best luck writing to the “dev” mailing list.