search

internetstandards / Internet.nl

Internet standards compliance test suite
https://internet.nl
164 stars 36 forks source link

[bug?] DANE wrong IP check? #1383

Closed websecnl closed 3 months ago

websecnl commented 3 months ago

When checking for DANE it checks the webserver IP for TLSA, but in reality it should check the MX records (mailservers) for TLSA and not the domain. Is this a bug?

mxsasha commented 3 months ago

In which test? In the web test, we look at web server DANE, in the mail test, we look at MX DANE. Or at least, we should - if we do not, that sounds like a bug. Also note that DANE on web is informational and has no score impact.

websecnl commented 3 months ago

In which test? In the web test, we look at web server DANE, in the mail test, we look at MX DANE. Or at least, we should - if we do not, that sounds like a bug. Also note that DANE on web is informational and has no score impact.

There seems to be only one DANE check as far as I can see

https://internet.nl/site/websec.nl/2721068/

bwbroersma commented 3 months ago

DANE is not exclusively for MX (port 25), it can also be setup for HTTPS (port 443), also see this RFC 7671 example. So in this case there is a check for a TLSA record on _443._tcp.websec.nl.

websecnl commented 3 months ago

DANE is not exclusively for MX (port 25), it can also be setup for HTTPS (port 443), also see this RFC 7671 example. So in this case there is a check for a TLSA record on _443._tcp.websec.nl.

What if my certificate auto renews every 3 months? do I have to update the TLSA record?

bwbroersma commented 3 months ago

In all cases of setting up DANE:

DANE is not used by regular browsers, see application support. Monitoring is mainly important if you deploy DANE for SMTP (our howto).

websecnl commented 3 months ago

_443._tcp.websec.nl

Thank you @bwbroersma , should have solved it now. For those who also have GMail and Cloudflare and want to know what hell you have to go through in order to setup DANE.

Hopefully this writeup and Automation script makes things a bit easier for you: https://github.com/websecnl/Cloudflare-DANE-Auto-Updater

bwbroersma commented 3 months ago

@websecnl: interesting, never thought about automatic certificate rotation 'out of your control'. Another option is only pinning on the root:

$ dig +noall +answer TLSA _443._tcp.internet.nl
_443._tcp.internet.nl.    3600    IN      CNAME   proloprod._dane.internet.nl.
proloprod._dane.internet.nl. 3600 IN    CNAME   le-intermediate._dane.internet.nl.
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270

BTW your script will of course add any certificate that is valid, so the DANE will result in the same as using the root CA's.

websecnl commented 3 months ago

@websecnl: interesting, never thought about automatic certificate rotation 'out of your control'. Another option is only pinning on the root:

$ dig +noall +answer TLSA _443._tcp.internet.nl
_443._tcp.internet.nl.    3600    IN      CNAME   proloprod._dane.internet.nl.
proloprod._dane.internet.nl. 3600 IN    CNAME   le-intermediate._dane.internet.nl.
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270

BTW your script will of course add any certificate that is valid, so the DANE will result in the same as using the root CA's.

Should I make it so that it makes a hash for every cert in chain and adds it to DNS? I tought only the main cert was required from the chain and not all? (My chain has like 3-4 certs, but only 1 of them I got in my TLSA record for the tcp 443 selector which seems enough) let me know if I'm doing anything wrong please or if this script can be improved. I'd like to help making this DANE implementation as simple as possible.