It's been requested that we add a TLSA record on getfedora.org. This would allow browsers to use dnssec to check that the getfedora.org ssl cert was the correct and valid one.
it does have a tlsa record:
$dig _443._tcp.getfedora.org tlsa ; <<>> DiG 9.16.1-Ubuntu <<>> _443._tcp.getfedora.org tlsa ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;_443._tcp.getfedora.org. IN TLSA ;; ANSWER SECTION: _443._tcp.getfedora.org. 299 IN TLSA 0 0 1 19400BE5B7A31FB733917700789D2F0A2471C0C9D506C0E504C06C16 D7CB17C0 ;; Query time: 363 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Mon Apr 26 21:55:05 +0430 2021 ;; MSG SIZE rcvd: 99
but the hash doesn't match with any certificate in the verified chain
Metadata Update from @mohanboddu: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
ok, fixed. Can you confirm? If you still see any issues, feel free to re-open...
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
all good!
thanks a lot
Log in to comment on this ticket.