Enhancement #273
closed
DNS-secured CERTs using TLSA
Added by Marc Dequènes almost 13 years ago.
Updated over 9 years ago.
Category:
Service :: IS / AAA / PKI
Description
Current CA model is flawed, and we cannot trust any CA if they are not maintained by people we know. It is a major problem to be able to work we third party websites.
The DANE projet aims at using DNSSEC to securely propagate secure data association, like vhost <-> CERT, so we should follow the progress of its specification and test emerging implementations. When it is ready enough, we should then ask software implementors to use this new technology. Drafts can be found here:
http://datatracker.ietf.org/wg/dane/
- Status changed from New to In Progress
- Assignee set to Marc Dequènes
There is already a Firefox addon for TLSA:
https://os3sec.org/
I still don't know if there are tools to generate the DNS entries easily.
- Category changed from Service :: Web to Service :: IS / AAA / PKI
- % Done changed from 0 to 10
This we i configured www.hq.dc.o to do some tests, and the settings were quite easy. Note that the TXT field is already deprecated according to the VCS commits.
The plugin is not meant to be installed on FF10 but can be forced and seems to work. Nevertheless i was not able to get him validate anything, as it consider the DNSSEC chain to be broken, and activating debug in about:config did not output anything on the webconsoles or on STDOUT.
I'm probably hitting the AA versus AD flag, which should be solved when #292 is done.
- % Done changed from 10 to 70
Modified mkcert to generate the SubjectPublicKeyInfo hashes for a server (for the CN is applicable and all DNS entries in subjectAltName), then for all servers of a CA.
The services needed to be specified in the server configuration file, using the service name (NSS) or port/proto. Sometimes it is also needed to restrict certain services to specific hostnames, so the scope can be narrowed in the syntax.
Todo:
- The mapping of the resulting bunch of TLSA records needs to be mapped to domain names, taking care of which domain is currently DNSSEC enabled.
- Entries also need to be properly dispatched in the right parent/child domain (in case of subdomains).
- The filtered result need to be pushed to the MX1 of the domain.
- opendnssec needs to be triggered
As these last steps are not very easy, and to test the results, i created the adm_publish_tlsa script doing what's needed for the only domains able to take advantage of it.
- Blocked by deleted (Enhancement #292: DNSSEC authoritative nameservers and validating resolvers should be separated)
- Status changed from In Progress to Resolved
- % Done changed from 70 to 100
I recreated the previous script in Ruby to handle all the listed steps and it works well, giving the same exact output as before.
In order to have the necessary knowledge to do the job, I created /etc/mp-admin/topology with necessary information.
Also available in: Atom
PDF