A new version has been released for Firefox.
- DNSSEC Lookaside Validation has been disabled.
- ldns 1.7.0.
- OpenSSL 1.0.2k.
- New js-ctypes-based implementation for Firefox.
- New validator implementation for Chromium/Chrome/Opera based on Native Messaging.
- Added new state notification about entering a non-existent (according to DNSSEC) web site.
- Polish localisation.
- Updated prefixes for DOM nodes in Firefox js-ctypes extension.
- Fixed bug in type 2 TLSA record …
- Ported DNSSEC/TLSA validator to Apple Safari.
- MF: Added new TLSA-validator option. The plug-in can now download the certificate chain by itself. See issue #31.
- Fixed SSL bug. Certificate chain was not checked when SSL connection was rejected by host.
- TLSA add-on bug fix: Certificate chain was …
DNSSEC/TLSA Validator is a web browser add-on which allows you to check the existence and validity of DNS Security Extensions (DNSSEC) records and Transport Layer Security Association (TLSA) records related to domain names. Results of these checks are displayed by using icons and information texts in the page’s address-bar or browser tool-bar. In the past, Internet Explorer (IE), Mozilla Firefox (MF), Google Chrome/Chromium (GC), Apple Safari (AS) were supported.
The add-on is not supported for Firefox 57 and above. Firefox 57 drops the support for various APIs, which the add-on has been using, without providing adequate replacement. As we don't want to sacrifice any of the currently provided functionality we've decided to stop the support and development of the add-on for the moment.
You may also experience problems in other previously supported browsers. This is because during the past years the browsers have been dropping the support of old APIs in favour of their more secure (and more restrictive) counterparts. This new APIs don't allow us the access to all functions that would have been needed to implement the Validator extension in its full functionality.
DNSSEC/TLSA Validator allows you to check the existence and validity of DNSSEC signed DNS records. DNSSEC Validator shows whether the domain name is DNSSEC-signed. It also checks whether the browser is connecting to the correct IP address assigned for this domain name. If a valid DNSSEC chain related to the domain is found the plug-in will also check for the existence of TLSA records. TLSA records store hashes of remote server TLS/SSL certificates. The authenticity of a TLS/SSL certificate for a domain name is verified by DANE protocol (RFC 6698). DNSSEC and TLSA validation results are displayer by using several icons. Additional explanatory texts are shown in the page’s address bar (MF, GC and OP), in a separate tool bar (IE) or toolbar buttons (AS). Clicking on a given icon symbol reveals more detailed information.
- DNSSEC Validator checks the existence and validity of DNSSEC-signed DNS records for domain names and it also checks whether the browser is connecting to the correct IP addresses assigned for these domain names.
- TLSA Validator attempts to perform a validation of TLSA/PKI pair according to the DANE protocol.
- TLSA Validator can interrupt HTTPS request when the server certificate doesn't correspond with obtained TLSA records (MF only in synchronous mode, AS).
- DNSSEC/TLSA Validator is not dependent on an external validating resolver for its function.
- Both validator cores (DNSSEC and TLSA) are based on libunbound.
- Encompasses a shared DNS cache accessible from all browser windows and tabs to improve performance.
- Coloured icons display the status of DNSSEC/TLSA validation.
- English, German, Czech and Polish localization (AS only Engilsh).
- Open source project released under the GNU GPL.
GUI and interface
- Coloured key icons and information texts present DNSSEC validation states.
- Coloured padlock icons and information texts display TLSA validation states.
- Screen-shots are available here.
- Distributed in binary form for Linux, Mac OS X/macOS and MS Windows.
- Supports 32-bit and 64-bit operating system.
- Can be compiled from sources for other UNIX-like systems (e.g BSD; although minor modifications might be required).
- IE and GC/OP versions may not work correctly in cooperation with proxies (DNSSEC Validator only).
- Plug-in cores can lose DNSSEC information when packets are fragmented (typically on WiFi).
- Usage of DNSSEC unaware or non-compliant resolvers or exotic resolver configurations cause validation problems.