On 11/10/2015 04:30 AM, Phil Stracchino wrote:
On 11/09/15 22:55, Viktor Dukhovni wrote:
I would also like to encourage more of the administrators on this
list to publish TLSA records, but keep in mind that this is an
operational commitment, not a fashion statement. Once you publish
TLSA records you MUST keep them accurate while performing future
key/certificate updates (or changing issuing CAs if you're using
DANE-TA(2) TLSA records).
[...]
If you can do that, please go ahead and publish TLSA records for
the MX hosts of your DNSSEC signed domains. If that's too complex
at this time, wait. The documentation and tools will improve, and
it is better to not publish at all than to publish broken records
that create problems for both senders (other domains) and receivers
(you).
This is where I admit that I haven't gotten around to DNSSEC signing
yet. But then, mine is a very small domain with only one external IP.
From my own personal experience, start with a very short TTL and do not
make TLSA records until you have a process down for rotating zone
signing keys that works.
I currently use a one hour TTL and I do not feel a need to ever increase
that, but when I first started playing with DNSSEC I used a 5 minute TTL
so that when I made mistakes the impact was short.
Even though all but one of my TLS certificates are signed by a CA, I
always specify them as Type 3 in the TLSA record, not Type 1, even for
https. It turns out that specifying Type 1 doesn't add any real world
security at all, applications (like browsers) that want CA signed certs
still have to verify themselves, so I do not see a benefit to specifying
a TLSA record as Type 1.
I now am of the opinion that Type 0/1 TLSA records should be depricated
as there is not, at least to me, a real world value to them. But I am
not an expert in that area.
It is easier to experiment with a web server with TLSA because a bad
TLSA record won't cause a loss of service to most people as most (all?)
browsers don't care about TLSA without an extension.
Myself, I have TLSA records for my two mail servers, both very low
volume, but I do not yet run postfix in DANE mode. Soon I will start
doing that, but I'm waiting for increased DANE adoption and watching for
issues, like the .mil issue that started this thread, before I take that
step.
My DNS servers do DNSSEC validate so I at least get some MITM protection
even without postfix running in DANE mode.
