Project

General

Profile

Security Model » History » Version 1

Marc Dequènes, 2020-04-06 13:58

1 1 Marc Dequènes
h1. DANE
2
3
h2. Introduction
4
5
"DANE":https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities is a security protocol used to reinforce TLS certificate validation by publishing certain information in the DNS. It requires your DNS zones to be secured using "DNSSEC":https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions.
6
7
h2. Status in DuckCorp
8
9
We consider it is better not to trust top CAs and their "broken security model":https://en.wikipedia.org/wiki/Certificate_authority#CA_compromise. Instead DANE-EE allows validation of the leaf certificate, bypassing the usual CA validation. It still requires trusting the DNS hierarchy, but there are less players involved it has proved more reliable, so this is a real improvement. Unfortunately DANE adoption is quite low.
10
11
Initially we only used our own CA and published TLSA records for all services. Because it's quite inconvenient to setup a custom CA for non-technical users and because it makes our life difficult to communicate and exchange with external entities through our infrastructure, we decided to trust Let's Encrypt to generate certificates. The root of the problem is not solved but at least the validation process is sound and open. It is also automated, using Free Softwares, so we can handle certificate management by ourselves. We keep using our CA for internal services but public-facing ones now use Let's encrypt.
12
13
Since we now use Let's Encrypt, TLSA publication has been reworked to play nice together. It is fully automated (compared to renewal with our CA) but currently not deployed for all services yet.
14
15
h2. Checking DANE
16
17
The "danetls":https://github.com/shuque/danetls tool is not packaged but there is a web service called "danecheck":https://www.huque.com/bin/danecheck by the same author.
18
19
h2. DANE adoption
20
21
These are just notes to check on DANE adoption in various client software.
22
23
* SMTP: seems to have gained traction, suggested by the various checkers, Postfix supports it and we support it (see [[Mail]])
24
* IMAP/POP3: "Thunderbird integration was refused":https://bugzilla.mozilla.org/show_bug.cgi?id=1479423 because it needs to be integrated in Firefox core first, but the "Firefox integration":https://bugzilla.mozilla.org/show_bug.cgi?id=672600 does not seem to go anywhere
25
* IRC: "Weechat integration":https://github.com/weechat/weechat/pull/121 is not making much progress despite a patch being available
26
* XMPP-c2s: ???
27
* XMPP-s2s: Prodosy has an "experimental module":https://modules.prosody.im/mod_s2s_auth_dane.html but it is unmaintained and supposed to crash sometimes (according to the known issues)