Closed websecnl closed 7 months ago
In which test? In the web test, we look at web server DANE, in the mail test, we look at MX DANE. Or at least, we should - if we do not, that sounds like a bug. Also note that DANE on web is informational and has no score impact.
In which test? In the web test, we look at web server DANE, in the mail test, we look at MX DANE. Or at least, we should - if we do not, that sounds like a bug. Also note that DANE on web is informational and has no score impact.
There seems to be only one DANE check as far as I can see
DANE is not exclusively for MX (port 25), it can also be setup for HTTPS (port 443), also see this RFC 7671 example. So in this case there is a check for a TLSA record on _443._tcp.websec.nl
.
DANE is not exclusively for MX (port 25), it can also be setup for HTTPS (port 443), also see this RFC 7671 example. So in this case there is a check for a TLSA record on
_443._tcp.websec.nl
.
What if my certificate auto renews every 3 months? do I have to update the TLSA record?
In all cases of setting up DANE:
DANE is not used by regular browsers, see application support. Monitoring is mainly important if you deploy DANE for SMTP (our howto).
_443._tcp.websec.nl
Thank you @bwbroersma , should have solved it now. For those who also have GMail and Cloudflare and want to know what hell you have to go through in order to setup DANE.
Hopefully this writeup and Automation script makes things a bit easier for you: https://github.com/websecnl/Cloudflare-DANE-Auto-Updater
@websecnl: interesting, never thought about automatic certificate rotation 'out of your control'. Another option is only pinning on the root:
$ dig +noall +answer TLSA _443._tcp.internet.nl
_443._tcp.internet.nl. 3600 IN CNAME proloprod._dane.internet.nl.
proloprod._dane.internet.nl. 3600 IN CNAME le-intermediate._dane.internet.nl.
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03
le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270
BTW your script will of course add any certificate that is valid, so the DANE will result in the same as using the root CA's.
@websecnl: interesting, never thought about automatic certificate rotation 'out of your control'. Another option is only pinning on the root:
$ dig +noall +answer TLSA _443._tcp.internet.nl
_443._tcp.internet.nl. 3600 IN CNAME proloprod._dane.internet.nl. proloprod._dane.internet.nl. 3600 IN CNAME le-intermediate._dane.internet.nl. le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B220407 1ED04F10 le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DC FBCF286D le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 E5545E211347241891C554A03934CDE9B749664A59D26D615FE58F77 990F2D03 le-intermediate._dane.internet.nl. 3600 IN TLSA 2 1 1 BD936E72B212EF6F773102C6B77D38F94297322EFC25396BC3279422 E0C89270
BTW your script will of course add any certificate that is valid, so the DANE will result in the same as using the root CA's.
Should I make it so that it makes a hash for every cert in chain and adds it to DNS? I tought only the main cert was required from the chain and not all? (My chain has like 3-4 certs, but only 1 of them I got in my TLSA record for the tcp 443 selector which seems enough) let me know if I'm doing anything wrong please or if this script can be improved. I'd like to help making this DANE implementation as simple as possible.
When checking for DANE it checks the webserver IP for TLSA, but in reality it should check the MX records (mailservers) for TLSA and not the domain. Is this a bug?