DANE with own CA

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

DANE with own CA

Lefteris Tsintjelis
Hi, I already have a working DSNSEC with my own CA. Can I use DANE with
postfix or do I need a certificate from a known CA in order to do that?


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Ralph Seichter-2
* Lefteris Tsintjelis:

> Can I use DANE with postfix or do I need a certificate from a known CA
> in order to do that?

With DNSSEC in place, you can simply add the DNS records based on your
own CA's data. No need for certificates from a "well known" CA.

-Ralph

P.S.: I recommend https://dane.sys4.de for testing.
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
On 14/6/2019 14:39, Ralph Seichter wrote:

> * Lefteris Tsintjelis:
>
>> Can I use DANE with postfix or do I need a certificate from a known CA
>> in order to do that?
>
> With DNSSEC in place, you can simply add the DNS records based on your
> own CA's data. No need for certificates from a "well known" CA.
>
> -Ralph
>
> P.S.: I recommend https://dane.sys4.de for testing.
Will do, thank you. This is really very interesting. This seems to be a
very good and secure alternative to "well known" CAs!


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
In reply to this post by Ralph Seichter-2
On 14/6/2019 14:39, Ralph Seichter wrote:

> * Lefteris Tsintjelis:
>
>> Can I use DANE with postfix or do I need a certificate from a known CA
>> in order to do that?
>
> With DNSSEC in place, you can simply add the DNS records based on your
> own CA's data. No need for certificates from a "well known" CA.
>
> -Ralph
>
> P.S.: I recommend https://dane.sys4.de for testing.
Is it certain that non "well known" CAs can be used? The above site does
not validate correctly. It checks DNSSEC and TLSA correctly but comes
with an SMTP error "self signed certificate in certificate chain"


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
On 14/6/2019 16:05, Lefteris Tsintjelis wrote:

> On 14/6/2019 14:39, Ralph Seichter wrote:
>> * Lefteris Tsintjelis:
>>
>>> Can I use DANE with postfix or do I need a certificate from a known CA
>>> in order to do that?
>>
>> With DNSSEC in place, you can simply add the DNS records based on your
>> own CA's data. No need for certificates from a "well known" CA.
>>
>> -Ralph
>>
>> P.S.: I recommend https://dane.sys4.de for testing.
>
> Is it certain that non "well known" CAs can be used? The above site does
> not validate correctly. It checks DNSSEC and TLSA correctly but comes
> with an SMTP error "self signed certificate in certificate chain"
Seems to work really great even with self signed certs and CAs and not
just for SMTP. It really brings control down to the end user. One note
though, some sites claim the DNS record can be created from the private
key or the public certificate but it does not apear to work the same.
Best to create the DNS record from the public certificate.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Viktor Dukhovni
In reply to this post by Lefteris Tsintjelis
On Fri, Jun 14, 2019 at 04:05:27PM +0300, Lefteris Tsintjelis wrote:

> Is it certain that non "well known" CAs can be used? The above site does
> not validate correctly. It checks DNSSEC and TLSA correctly but comes
> with an SMTP error "self signed certificate in certificate chain"

The use of private CAs with certificate usage DANE-TA(2) is specified
for SMTP and supported in Postfix, Exim, ...  See:

    https://tools.ietf.org/html/rfc7671#section-5.2

The trust-anchor CA certificate MUST be included in your certificate
chain configuration for transmission to the SMTP client.

Also see:

    https://tools.ietf.org/html/rfc7671#section-8.1
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://github.com/danefail/list/issues/47#issuecomment-456623996

And talk slides/video at:

    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

where I also discuss "2 1 1 + 3 1 1" key rotation.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Viktor Dukhovni
In reply to this post by Lefteris Tsintjelis
On Fri, Jun 14, 2019 at 06:22:55PM +0300, Lefteris Tsintjelis wrote:

> One note though, some sites claim the DNS record can be created from
> the private key

Make that the *public* key.

> or the public certificate but it does not apear to work the same.

The public key gets "3 1 1" (assuming SHA2-256) records, while the
full certificate gets "3 0 1" records.  So they're not the same.

> Best to create the DNS record from the public certificate.

No, actually, best to create from the public key.

    https://github.com/danefail/list/issues/47#issuecomment-456623996

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
On 14/6/2019 21:20, Viktor Dukhovni wrote:
> On Fri, Jun 14, 2019 at 06:22:55PM +0300, Lefteris Tsintjelis wrote:
>
>> Best to create the DNS record from the public certificate.
>
> No, actually, best to create from the public key.
>
>      https://github.com/danefail/list/issues/47#issuecomment-456623996

Yes, thank you Viktor, exactly like that. 3 1 1 is the best way to do
it. No need for any "known CAs" with this method.

Is there a way to check from logs or headers if DANE was used
(un)successfully and possibly monitor the method as well?


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Benny Pedersen-2
Lefteris Tsintjelis skrev den 2019-06-14 20:54:

> Is there a way to check from logs or headers if DANE was used
> (un)successfully and possibly monitor the method as well?

grep Verified in logs
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
On 14/6/2019 22:15, Benny Pedersen wrote:
> Lefteris Tsintjelis skrev den 2019-06-14 20:54:
>
>> Is there a way to check from logs or headers if DANE was used
>> (un)successfully and possibly monitor the method as well?
>
> grep Verified in logs

This could very well be from the "known" CAs


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Benny Pedersen-2
Lefteris Tsintjelis skrev den 2019-06-14 21:18:
> On 14/6/2019 22:15, Benny Pedersen wrote:
>> Lefteris Tsintjelis skrev den 2019-06-14 20:54:
>>
>>> Is there a way to check from logs or headers if DANE was used
>>> (un)successfully and possibly monitor the method as well?
>>
>> grep Verified in logs
>
> This could very well be from the "known" CAs

indeed yes, but why is it a problem ?

imho if you want to untrust known ca, please do then, its not really a
dane problem

correct me if its not true, still like to learn
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Viktor Dukhovni
In reply to this post by Lefteris Tsintjelis
On Fri, Jun 14, 2019 at 10:18:43PM +0300, Lefteris Tsintjelis wrote:

> >> Is there a way to check from logs or headers if DANE was used
> >> (un)successfully and possibly monitor the method as well?
> >
> > grep Verified in logs
>
> This could very well be from the "known" CAs

Actually, no.  You'd need to have the destination security level
configured for "secure" or "verify" for that.  Otherwise, it
would be at most "Trusted".

    http://www.postfix.org/FORWARD_SECRECY_README.html#status

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
In reply to this post by Benny Pedersen-2
On 14/6/2019 22:34, Benny Pedersen wrote:

> Lefteris Tsintjelis skrev den 2019-06-14 21:18:
>> On 14/6/2019 22:15, Benny Pedersen wrote:
>>> Lefteris Tsintjelis skrev den 2019-06-14 20:54:
>>>
>>>> Is there a way to check from logs or headers if DANE was used
>>>> (un)successfully and possibly monitor the method as well?
>>>
>>> grep Verified in logs
>>
>> This could very well be from the "known" CAs
>
> indeed yes, but why is it a problem ?
>
> imho if you want to untrust known ca, please do then, its not really a
> dane problem
>
> correct me if its not true, still like to learn
No, it is not a problem, it is only for statistical purposes, so someone
could distinguish usage between "known CAs" and DANE ones and possibly
even further troubleshoot problems in case of missconfiguration.


smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Lefteris Tsintjelis
In reply to this post by Viktor Dukhovni
On 14/6/2019 21:18, Viktor Dukhovni wrote:
>
> The use of private CAs with certificate usage DANE-TA(2) is specified
> for SMTP and supported in Postfix, Exim, ...  See:
>
>     https://tools.ietf.org/html/rfc7671#section-5.2
>
> The trust-anchor CA certificate MUST be included in your certificate
> chain configuration for transmission to the SMTP client.

Should all the chain certificates be included, CA root and CA
intermediate for example, as 2 1 1? I believe I saw somewhere that one
of them should be enough(?).

I have used CNAME to point to TLSA and https://dane.sys4.de/ seems to
verify everything correctly. I am not certain though about how RFC
"friendly" is to use CNAME to point to TLSA records? Can it be done safely?

Really great and very informative DNSSEC and DANE links. Too bad all
this is mostly for SMTP for now. It would have been really great to
adopt DANE to more services but that could have very negative impact to
the "well knowns" CAs.

Lefteris
Reply | Threaded
Open this post in threaded view
|

Re: DANE with own CA

Viktor Dukhovni
On Mon, Jun 17, 2019 at 05:33:16AM +0300, Lefteris Tsintjelis wrote:

> > The trust-anchor CA certificate MUST be included in your certificate
> > chain configuration for transmission to the SMTP client.
>
> Should all the chain certificates be included, CA root and CA
> intermediate for example, as 2 1 1? I believe I saw somewhere that one
> of them should be enough(?).

You publish "2 1 1" records for the CA(s) you actually trust, which
is often an intermediate CA, rather than its issuing root CA.  Whichever
CA that is, the corresponding certificate must be part of the configured
certificate chain transmitted to the TLS (SMTP in this case) client.

> I have used CNAME to point to TLSA and https://dane.sys4.de/ seems to
> verify everything correctly. I am not certain though about how RFC
> "friendly" is to use CNAME to point to TLSA records? Can it be done safely?

Yes.

> > Also see:
> >
> >     https://tools.ietf.org/html/rfc7671#section-8.1
> >     https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
> >     https://github.com/danefail/list/issues/47#issuecomment-456623996
> >
> > And talk slides/video at:
> >
> >     https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
> >
> > where I also discuss "2 1 1 + 3 1 1" key rotation.
>
> Really great and very informative DNSSEC and DANE links.

Thanks, spread the word...

> It would have been really great to
> adopt DANE to more services but that could have very negative impact to
> the "well knowns" CAs.

All in good time, they browser vendors (Google Chrome, Mozilla
Firefox, ...) are not ready yet.

--
        Viktor.