On Wed, Nov 11, 2015 at 09:28:56AM +0000, Mike Cardwell wrote:
> I wrote an overview of how it works a while ago on my blog which a few
> people have told me helped with their understanding:
>
> https://grepular.com/Understanding_DNSSEC
Thanks for publishing! A couple of the items are a bit dated since
you originally wrote them. Quote:
I have published a fingerprint of the SSL certificate used on
this website in the DNS, following the latest draft revision
of the DANE protocol. So not only is my SSL certificate signed
by a CA, it is also signed by my own DNSSEC key. So in other
words, if a CA is compromised, and they generate an SSL
certificate for grepular.com, browsers with DANE capability
will know that the certificate isn't to be trusted:
mike@alfa:~$ dig +short TYPE65468 _443._tcp.grepular.com
\# 35 010101CA046E204044FDD508DCB096FED9881A052061ABCD29D915C8
8712A818F283E7
The DANE protocol is now RFC 6698 (updated by RFC 7671). The TLSA
record has been assigned TYPE52, but many implementations now
support the more mnemonic "TLSA" and decode the fields:
$ dig +short -t TLSA _443._tcp.grepular.com
3 1 1 B39239C1783106ACC139ECC5BFFAF121390DAA204981017D18DEC59E B0B4610B
3 1 1 18D478853B81505D7EDA84D6147408CA0DCDF80B5A38E7D40FBF9242 8E78BB0D
Connections to the server show thay you're now a "Let's Encrypt"
early adopter, with the second of the TLSA records above matching
your server certificate:
;; subject= /CN=grepular.com
;; issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
;; notBefore=Nov 4 19:43:00 2015 GMT
;; notAfter=Feb 2 19:43:00 2016 GMT
;;
_443._tcp.grepular.com. IN TLSA 3 1 1
18D478853B81505D7EDA84D6147408CA0DCDF80B5A38E7D40FBF92428E78BB0D
You could also or instead publish "2 0 1" binding to the LE
intermediate CA, and only have to update the DNS when the intermediate
CA certificate changes.
;; subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
;; issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
;; notBefore=Oct 19 22:33:36 2015 GMT
;; notAfter=Oct 19 22:33:36 2020 GMT
;;
_443._tcp.grepular.com. IN TLSA 2 0 1
7FDCE3BF4103C2684B3ADBB5792884BD45C75094C217788863950346F79C90A3
Your server does not send the root CA cert, so a "2 0 1" binding
for that is not at present an option.
Quote:
No browsers support this capability natively yet, as the
specification is still going through the standards process.
However, there is a Firefox addon. There is a similar piece
of technology in Google Chrome called DNSSEC Stapled
Certificates, but it's not backwards compatible with CA
signed certificates unfortunately.
The spec has been complete since 2012, but no major browsers are
likely to move to adopt it in the near term. DANE adoption is
largely limited to server-to-server SMTP and XMPP.
Quote:
Nope. So any domain ending ".ru" can not use DNSSEC.
The ".ru" domain is now signed. Any chance you're willing to
refresh the document to bring it up to date?
The examples use algorithm "5" (RSASHA1) which is now dated, most
sites should use "8" (RSASHA256) these days. Also most BIND sites
should probably use "auto-dnssec maintain", ...
So the document in its current form is a bit too old to be immediately
useful.
--
Viktor.
