JuergenAuer

Now it starts to be crazy. Local FireFox 131.0.3: No problem. FireFox from the DbServer (Server, who is used with check-your-website), 132.0.1: Problem - "Gesicherte Verbindung fehlgeschlagen" (same as older) Local Download (old own tool): D:\temp>download http://spacedock.info/ -h Connection: keep-alive Content-Language: en Content-Length: 2445 Cache-Control: no-store Content-Type: text/html Date: Tue, 05 Nov 2024 14:00:13 GMT Location: https://spacedock.info/ Server: 52K-CDN Via: http/1.1 localhost (52K) Status: 301 MovedPermanently 195,99 milliseconds 0,20 seconds D:\temp>download https://spacedock.info/ -h Vary: Cookie,Accept-Encoding Permissions-Policy: interest-cohort=() Age: 0 Connection: keep-alive Content-Length: 26198 Content-Type: text/html; charset=utf-8 Date: Tue, 05 Nov 2024 14:00:15 GMT Set-Cookie: session=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Secure; HttpOnly; Path=/; SameSite=Lax Server: 52K-CDN Via: 1.1 spacedock.info, http/1.1 localhost (52K) Status: 200 OK 302,67 milliseconds 0,30 seconds No problem connecting http + https. Same from the DbServer (with a small older Download) e:\sd-db>download http://spacedock.info/ -h Connection: keep-alive Content-Language: en Content-Length: 2445 Cache-Control: no-store Content-Type: text/html Date: Tue, 05 Nov 2024 14:25:53 GMT Location: https://spacedock.info/ Server: 52K-CDN Via: http/1.1 localhost (52K) Status: 301 MovedPermanently e:\sd-db>download https://spacedock.info/ -h Error (1): The request was aborted: Could not create SSL/TLS secure channel. SecureChannelFailure 3 The 3 indicates, that the server doesn't send a complete answer. Same server, with a newer download: No Problem! e:\sd-db\temp>download http://spacedock.info/ -h Date: Tue, 05 Nov 2024 14:27:23 GMT Connection: keep-alive Via: http/1.1 localhost (52K) Server: 52K-CDN Cache-Control: no-store Location: https://spacedock.info/ Content-Type: text/html Content-Language: en Content-Length: 2445 Status: 301 MovedPermanently 184.87 milliseconds 0.18 seconds e:\sd-db\temp>download https://spacedock.info/ -h Date: Tue, 05 Nov 2024 14:27:25 GMT Server: 52K-CDN Content-Type: text/html; charset=utf-8 Content-Length: 26198 Vary: Cookie,Accept-Encoding Set-Cookie: session=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Max-Age=0; Secure; HttpOnly; Path=/; SameSite=Lax Via: 1.1 spacedock.info, http/1.1 localhost (52K) Permissions-Policy: interest-cohort=() Age: 0 Connection: keep-alive Status: 200 OK 285.21 milliseconds 0.29 seconds That's completely crazy, never seen such a difference between two own download - versions. Rechecked your ip address. There is an "Accelerator" on your ip address - https://95.217.59.158/ Is there the SSL connection termination? If yes, is it possible do deactivate that tool (temporary)? Manual rechecked with the command inside check-your-website: No problem, no error. Normally, if download fails, check-your-website fails too. That would indicate a SSL problem, because the command line tool and the code of check-your-website use the same Windows - SSL - libraries.

No, exact not, these are two completely different things. FireFox can't validate the certificate or can't talk with the server. But FF has an ip of the domain name to do that step. If DNSSEC would be broken, FF would not get an IP address, so no connection would be possible. 1. Browser gets a domain name 2. Browser must find minimal one ip address 3. Browser connects the ip via TCP / not encrypted 4. Browser upgrades the connection to SSL 5. If SSL is established, Browser sends the first http GET command to that ip ( GET /, Host spacedoc.info If DNSSEC is broken, step 2 doesn't work. The FF error message says: 4 is the problem, so 2 is resolved. Compare it with the really broken http://dnssec-failed.org/ - http fails. That's a (4) - problem while upgrading the TCP-connection to SSL - "while connecting" is different from "Server failed while finding the ip address". > nslookup dnssec-failed.org with a validating name server -> Server failed. If your internet provider standard name server doesn't validate DNSSEC, you will never see such a message. > nslookup spacedock.info Result: Two ip addresses, so the browser goes to step (3).

Hi @All, I'm the owner of "check-your-website". The DNSSEC configuration is not working - but that's not a problem. If a domain name has this entry > 0 DS RR in the parent zone found all DNSSEC informations in the zone are ignored. That's how DNSSEC is defined. But if a domain owner wants to add DNSSEC: First he adds the local DNSKEY - RR, then the RRSIG. Then tools may show correct / green results in the zone. See all the green results in the domain check. Last step: Adding the DS in the parent zone. -- If DNSSEC would be broken and if a user uses a validating NameServer, the user gets no ip address of that domain name. So the error message something like "Domain not found". See the test domains rhybar.cz or dnssec-failed.org to see a critical broken DNSSEC. The parent zone has a DS, but the zone has no matching DNSKEY. So the validating name server ignores the result. -- Most domains don't use DNSSEC. Such a configuration (no parent DS, but correct local DNSKEY + RRSIG) is sometimes visible. Very rare: Broken DNSSEC. Happens sometimes if a user switches the name server. Old NS supports DNSSEC and has created a DS, that DS exists, but the new NS doesn't support DNSSEC or isn't configured, the (now wrong) DS exists. Hope that helps.