DNS-secured CERTs using TLSA
Current CA model is flawed, and we cannot trust any CA if they are not maintained by people we know. It is a major problem to be able to work we third party websites.
The DANE projet aims at using DNSSEC to securely propagate secure data association, like vhost <-> CERT, so we should follow the progress of its specification and test emerging implementations. When it is ready enough, we should then ask software implementors to use this new technology. Drafts can be found here:
#3 Updated by Marc Dequènes over 7 years ago
- % Done changed from 0 to 10
This we i configured www.hq.dc.o to do some tests, and the settings were quite easy. Note that the TXT field is already deprecated according to the VCS commits.
The plugin is not meant to be installed on FF10 but can be forced and seems to work. Nevertheless i was not able to get him validate anything, as it consider the DNSSEC chain to be broken, and activating debug in about:config did not output anything on the webconsoles or on STDOUT.
#6 Updated by Marc Dequènes almost 4 years ago
The FF plugin is now here: https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/
Version 126.96.36.199.1-signed works and the AA/AD problem seems gone.
Now we need to feed the TLSA entries into the DNS. I need to find a way to automate it around mkcert. Ansible maybe?
#7 Updated by Marc Dequènes almost 4 years ago
- % Done changed from 10 to 70
Modified mkcert to generate the SubjectPublicKeyInfo hashes for a server (for the CN is applicable and all DNS entries in subjectAltName), then for all servers of a CA.
The services needed to be specified in the server configuration file, using the service name (NSS) or port/proto. Sometimes it is also needed to restrict certain services to specific hostnames, so the scope can be narrowed in the syntax.
- The mapping of the resulting bunch of TLSA records needs to be mapped to domain names, taking care of which domain is currently DNSSEC enabled.
- Entries also need to be properly dispatched in the right parent/child domain (in case of subdomains).
- The filtered result need to be pushed to the MX1 of the domain.
- opendnssec needs to be triggered
As these last steps are not very easy, and to test the results, i created the adm_publish_tlsa script doing what's needed for the only domains able to take advantage of it.
#9 Updated by Marc Dequènes almost 4 years ago
- Status changed from In Progress to Resolved
- % Done changed from 70 to 100
I recreated the previous script in Ruby to handle all the listed steps and it works well, giving the same exact output as before.
In order to have the necessary knowledge to do the job, I created /etc/mp-admin/topology with necessary information.