cacert-sysadm AT lists.cacert.org
Subject: CAcert System Admins discussion list
List archive
- From: Domain Master CAcert Inc <dns-admin AT cacert.org>
- To: cacert-sysadm AT lists.cacert.org, cacert-board AT lists.cacert.org
- Subject: Re: Fingerprints in DNS
- Date: Mon, 9 Sep 2019 10:07:13 +0200
- Organization: CAcert Inc
Hi Gero,
On 8/31/19 3:29 PM, Gero Treuner wrote:
> Hi DNS-Admin(s),
>
> I stumbled over another place for fingerprints of the root certificates
> in DNS - mentioned in the wiki
> https://wiki.cacert.org/HowToDocuments/FingerprintsViaDNSSEC
>
> This apparently also needs refreshing to the new SHA256 hashed root.
> Sample:
> host -t TXT _sha256.root.g1._fp.cacert.org. _sha256.root.g1.
> _fp.cacert.org descriptive text
> "FF2A65CFF1149C7430101E0F65A07EC19183A3B633EF4A6510890DAD18316B3A"
>
> Does anyone have a minute for an update?
This is not something to be fixed in the CAcert DNS (it was fixed there
months ago), but something to be fixed in this wiki page. The description
for manually checking the root fingerprints is incorrect, as it uses the
hard-coded name "root". Instead it should obtain this name by querying
the DNS for _certs.g1._fp.cacert.org.:
$ host -t TXT _certs.g1._fp.cacert.org.
_certs.g1._fp.cacert.org descriptive text "root_X0F class3_X0E"
The shell script attached to that wiki page does it correctly,
and produces correct results (based on the re-signed roots).
Regards,
dns-admin AT cacert.org
- Re: Fingerprints in DNS, Domain Master CAcert Inc, 09/09/2019
- Re: Fingerprints in DNS, Gero Treuner, 09/09/2019
Archive powered by MHonArc 2.6.18.