On Tue, Nov 10, 2015 at 05:15:43AM -0800, Alice Wonder wrote:
> From my own personal experience, start with a very short TTL and do not make
> TLSA records until you have a process down for rotating zone signing keys
> that works.
>
> I currently use a one hour TTL and I do not feel a need to ever increase
> that, but when I first started playing with DNSSEC I used a 5 minute TTL so
> that when I made mistakes the impact was short.
Yes, keep TTLs sensibly short, and for most (small) sites, 1 hour
seems about right for long-term use.
Keep in mind that the TTL on the DS (delegation signer) records
published by the parent zone is out of your control and is typically
longer, so changes to DS records must be made with great care. At
all times, each and every unexpired DS record in some remote cache
must match a corresponding DNSKEY record in your DNSKEY RRset
(whether fresh or cached, obtained from a primary or a slave server).
The upshot is that each DNSKEY record must have been published
sufficiently long before the publication of the corresponding DS
record for any older cached or slaved DNSKEY RRsets to expire, and
must not be deleted until after the corresponding DS record has
been deleted and has expired from all caches.
> Even though all but one of my TLS certificates are signed by a CA, I always
> specify them as Type 3 in the TLSA record, not Type 1, even for https.
That keeps things simpler for verifiers, but note that for SMTP
the choice is between DANE-EE(3) and DANE-TA(2), RFC7672 (DANE for
SMTP) excludes the PKIX-EE(1) and PKIX-TA(0) usages.
> I now am of the opinion that Type 0/1 TLSA records should be depricated as
> there is not, at least to me, a real world value to them. But I am not an
> expert in that area.
There can be limited value to them in applications that only accept
these and do not accept DANE-EE(3) or DANE-TA(2).
https://tools.ietf.org/html/rfc7671#section-4
> Myself, I have TLSA records for my two mail servers, both very low volume,
> but I do not yet run postfix in DANE mode. Soon I will start doing that, but
> I'm waiting for increased DANE adoption and watching for issues, like the
> .mil issue that started this thread, before I take that step.
My advice is to stop waiting. The problem domains are few, and
for most people not ones that you're likely to send mail to.
> My DNS servers do DNSSEC validate so I at least get some MITM protection
> even without postfix running in DANE mode.
There are more domains with expired RRsigs that become unreachable
due to DNSSEC operational issues than domains with TLSA lookup or
correctness issues. The ones with persistent issues are also not
"high visibility" domains that you're liable to ever encounter.
DNSSEC protects you from using the wrong MX hostname, or the wrong
IP address, but not from BGP route or on-path wiretap MiTM attacks
that downgrade STARTTLS or do MiTM TLS (easy since opportunistic
TLS for SMTP cannot enforce certificate verification).
--
Viktor.
