search

thunderbird / thunderbird-android

K-9 Mail – Open Source Email App for Android
https://k9mail.app/
Apache License 2.0
9.87k stars 2.46k forks source link

DNSSEC/DANE support #1776

Open rugk opened 7 years ago

rugk commented 7 years ago

DNSSEC/DANE are two dns-based technologies for securing the hostname lookup (DNSSEC) and the TLS connection to the server (DANE, using a TLSA record). Currently mail providers are one of the few large "websites" in the internet, which deploy this. (in Germany it is e.g. supported by Web.de, GMX, Posteo, Mailbox.org, …)

It would be awesome if K9 mail would support them, although I admit it may be difficult as K9 mail of course needs access to the DNS data here.

philipwhiuk commented 7 years ago

Currently we use Android's built in resolver. Implementing a DNSSEC-aware resolver is definitely either the job of Android itself or the job of a third-party library. It does not look like there is a properly audited DNSSEC library for Android - the closest custom DNS implementation I can see is https://github.com/rtreffer/minidns.

I think there's no chance of K-9 implementing it's own version of crypto related code - it's just too much work. We'd rather use a library that is developed and audited as a component - either as part of the OS or otherwise.

I'm going to close this, but feel free to re-open / submit a PR if you find a library that is at worst actively updated and well supported but ideally audited that does DNSSEC/DANE.

rugk commented 7 years ago

Okay, maybe it can be reopened in a few years when Android has build-in support for this. :wink:

Flowdalic commented 7 years ago

There is MiniDNS, which has support for DNSSEC and DANE, and native support for Android. Disclaimer: I'm involved in MiniDNS and happy to answer any questions that you might have.

philipwhiuk commented 6 years ago

I looked into this.

Currently we do new Socket(hostname, port); Under the hood this does InetAddress.getByName(hostname). Which presumably, eventually does an AAAA and A record lookup for hostname.

So I wrote an implementation for querying AAAA and A records as a proof of concept and the connecting to the mailserver port using the IPs provided until a successful connection is made.

We obviousy then cache that IP address and then if it fails to connect re-resolve. We don't really want to be doing DNS resolution every connection. InetAddress.getByName uses the OS to cache data.

I had a bit of a stumbling block when I thought MiniDNS was broken, but actually it's just that Google don't implement DNS-SEC and they were my test domain.

So I now have a PoC that works for Posteo to verify the DNS-SEC record. Interesting MiniDNS complains about the NSEC record on AAAA and throws an Exception. Currently I catch that and try the A records.

This is definitely going to be an opt-in thing in some advanced setting.

Here's my Gist: https://gist.github.com/philipwhiuk/bbf761b1090de72e83a3064f16a22b38

I'm not quite sure how DANE fits in to all this.

ArchangeGabriel commented 6 years ago

DANE would be for checking the SSL certificate. Not sure at which point you get it in the code.