Hi,
If you'd like to point DANE at your postfix server,
today might be a good day to look into it. If not,
please ignore the rest of this post. And apologies if
this is all old news to you.
If you use Debian stable, and ISC Bind, it has just
become really really easy to implement DNSSEC for your
domain(s).
Debian-11 has just been released, and it has
bind-9.16.15 which has brilliant support for automatic
DNSSEC signing, including key rollovers. But Hardware
Security Module (HSM) users still need to keep doing
what they're doing.
If you don't mind having a key that lasts "forever",
you only need one(!) extra line in Bind's zone config,
and one(!) manual interaction with your domain
registrar. And you can just initiate a manual key
rollover if it ever get compromised, or whenever it
suits you.
Regular key rollovers only require a few more lines of
config and (e.g.) annual interactions with your domain
registrar (until TLDs implement automatic goodness).
BUT BE WARNED: Do not put your dnssec-policy directive
in the options {} stanza, to apply to all zones, or it
will immediately go horribly wrong (i.e. crash crash
crash panic cleanup rollback large whisky).
Put dnssec-policy directives in zone {} stanzas only,
and it behaves beautifully.
I've started the process and am waiting for Bind to
indicate that the time is right to inform my registrar.
Once DNSSEC is sorted, DANE should be relatively easy. :-)
(unless you use LetsEncrypt)
Here's some further reading for those who are interested:
https://bind9.readthedocs.io/en/v9_16_15/dnssec-guide.html
https://tools.ietf.org/html/rfc7671 (DANE) (Proposed Standard)
https://weberblog.net/how-to-use-danetlsa/
https://www.huque.com/bin/gen_tlsa
https://blog.tyk.nu/blog/generating-tlsa-records-with-openssl/
http://www.postfix.org/postfix-tls.1.html (See output-server-tlsa)
https://imrryr.org/~viktor/ICANN61-viktor.pdf
https://imrryr.org/~viktor/ICANN61-viktor.mp3
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
https://www.internetsociety.org/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/
https://www.internetsociety.org/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
The above uses letsencrypt-auto rather than certbot
but the ideas are important if you use LetsEncrypt.
https://blog.hansenpartnership.com/using-letsencrypt-certificates-with-dane/
LetsEncrypt (or rather certbot) doesn't play super-well
with DANE (for the way I want to do it - TLSA 3 1 1
records only, not TLSA 2 1 1 records). There are
several old threads on community.letsencrypt.org about
DANE but I didn't find very clear actual instructions,
but it's still very useful to read. The last URL above
(I think) gives the best approach for my preference.
Because I had an existing LetsEncrypt certificate via
certbot, I wanted to keep using it, so (I think) I've
told it to keep the same private key every time it
renews (--reuse-key / reuse_key = True). But that's
only OK if you are happy to keep the same private key
forever, which would be bad. I don't know how to
combine --reuse-key with annual key rollovers that are
certbot-compatible. I'm not actually sure it's possible.
I only want to use TLSA 3 1 1 records (because 2 1 1
ones seem too fiddly for me), so I think that I really
need to change to creating my own private keys outside
certbot, and using certbot's --csr option to get
LetsEncrypt to certify them. That way, I can have
multiple private keys in existence at the same time,
and create TLSA records for each of them (i.e. current
and next), and rollover to the next one on my own
schedule.
But it means that certbot can't automate the renewal of
the certificates. And I need to cron that separately. I
need to learn more about certbot.
If anyone has recent experience with certbot and TLSA 3
1 1 records, I'd appreciate any advice. Maybe I'll ask
on community.letsencrypt.org.
Without LetsEncrypt, this would be so much easier, but
I want certbot and DANE to play nice together. I'm not
giving up yet. :-)
It's tempting to think it would be OK to use
LetsEncrypt/certbot for the web, and handle mail
separately, but the TLS certificate used for mail
submission ports 465/587 should be CA-approved to keep
(non-DANE aware) mail submission agents happy, and
postfix uses the same certificate for all ports
(25/465/587). So I want using certbot for DANE to be
easy.
cheers,
raf
P.S. Apologies if this is too off-topic, but I thought
it might be useful to the debian+stable+bind+dnssec+dane
loving subset of the postfix audience.
