On Tuesday, 17 May 2016 21:01:14 UTC+1, Mozilla Security wrote:
> On 5/16/16 2:42 AM, Sam Kuper wrote:
> >>>>
https://blog.luukhendriks.eu/2015/12/03/lets-encrypt-open-beta-dane.html
>
> That blog points out the mismatch in expectations here. AMO is only
> available over IPv4, and it's the IPv4 address which is signed. If your
> home network ONLY does IPv6 then you need an IPv6-to-IPv4 translation to
> visit an IPv4-only site like AMO. The translation does not match the
> original signature.
Thanks for the hypothesis. You may be correct.
That said, I have tried browsing to
https://addons.mozilla.org from two different ISPs, and received the same warning both times.
>From the same ISPs, using the same client and browser,
https://www.debian.org and
https://grepular.com/Understanding_DNSSEC both give green icons, as do many other sites using DNSSEC.
> If you enable IPv4 so you can reach the site directly the error should
> go away. Or don't use or rely on DNSSEC for IPv4-only sites.
It is 2016. DNSSEC and IPv6 are increasingly widely-deployed. Clients are not necessarily in control of the intermediate connections' IP versions.
Mozilla should support the use case of clients connecting to AMO via IPv6 and checking DNSSEC validity. A "Bogus DNSSEC" warning is discouraging, after all, and reduces trust that the connection is secure.