dane/dnssec/tls testing in the go6lab - apricot 2017 · dane/dnssec/tls testing in the go6lab jan...
TRANSCRIPT
![Page 2: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/2.jpg)
Acknowledgement
IwouldliketothankInternetSocietytoletmespendsomeofmyISOCworkingtimeingo6labandtestallthisnewandexcitingprotocolsandmechanismsthatmakesInternetabitbetterandmoresecureplace…
![Page 3: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/3.jpg)
DNSSECimplementationingo6lab
• Powerdns server(usedasprimaryfornon-signeddomains)as“hidden”primaryDNSserver
• OpenDNSSEC platformforsigningdomains• BIND9andPowerdns serversassecondaries toOpenDNSSEC toservesignedzones
• Virtualizationused:PROXMOX4.4• OStemplates:fedora-20,Centos6/7
![Page 4: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/4.jpg)
DNSSECimplementationingo6lab
• “Bumpinawire”• Twopublic“primary”servers• Concept:
![Page 5: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/5.jpg)
DNSSECingo6lab
• Thatwasfairlyeasyanditworksverywell.• ImplementationdocumentusedfromMatthijsMekking:
https://go6.si/docs/opendnssec-start-guide-draft.pdf
• LatelywealsosignedaDNSzoneon“hidden”primary(PowerDNS)directlyandmadepublicfacingDNSserverssecondaries tohiddenprimary.
• Sofar,sogood...
![Page 6: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/6.jpg)
DANEexperiment
• WhenDNSSECwassetupandfunctioningwestartedtoexperimentwithDANE(DNSAuthenticatedNameEntities).
• Requirements:– DNSSECsigneddomains– PostfixserverwithTLSsupport>2.11
• WedecidedonPostfix3.0.1(3.1nowadays)
![Page 7: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/7.jpg)
DANE• TLSArecordformx.go6lab.si
_25._tcp.mx.go6lab.si.INTLSA301B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC25908DA05E2A84748ED
It’s basically ahash ofTLScertificate onmx.go6lab.si
More about DANE:http://www.internetsociety.org/deploy360/resources/dane/
![Page 8: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/8.jpg)
WhatisDANEandhowdoesitwork
![Page 9: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/9.jpg)
![Page 10: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/10.jpg)
![Page 11: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/11.jpg)
DANEverification
• mx.go6lab.siwasabletoverifyTLScerttoT-2mailserverandnlnet-labsandsomeothers…
mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
![Page 12: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/12.jpg)
Postfixconfigsmtpd_use_tls =yessmtpd_tls_security_level =maysmtpd_tls_key_file =/etc/postfix/ssl/server.pemsmtpd_tls_cert_file =/etc/postfix/ssl/server.pemsmtpd_tls_auth_only =nosmtpd_tls_loglevel =1smtpd_tls_received_header =yessmtpd_tls_session_cache_timeout =3600ssmtp_tls_security_level =danesmtp_use_tls =yessmtp_tls_note_starttls_offer =yessmtp_tls_loglevel =1tls_random_exchange_name =/var/run/prng_exchtls_random_source =dev:/dev/urandomtls_smtp_use_tls =yes
![Page 13: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/13.jpg)
1MtopAlexadomainsandDANE
• Wefetchedtop1millionAlexa domainsandcreatedascriptthatsentanemailtoeachofthem(test-dnssec-dane@[domain])
• Aftersometweakingofthescriptwegotsomegoodresults
• Thenwebuiltascriptthatparsedmaillogfileandherearetheresults:
![Page 14: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/14.jpg)
Results
• Outof1milliondomains,992,232ofthemhadMXrecordandmailserver.
• Nearly70%(687,897)ofallattemptedSMTPsessionstoAlexa top1milliondomainsMXrecordswereencryptedwithTLS
• MajorityofTLSconnections(60%)wereestablishedwithtrustedcertificate
• 1,382connectionswhereremotemailserverannouncedTLScapabilityfailedwith"CannotstartTLS:handshakefailure"
![Page 15: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/15.jpg)
MoreresultsTLSestablishedconnectionsratiosare:
Anonymous:109.753Untrusted:167.063Trusted:410.953Verified:128
Quickguide:Anonymous(opportunisticTLSwithnosignature),Untrusted(peercertificatenotsignedbytrustedCA),Trusted(peercertificatesignedbytrustedCA)andVerified(verifiedwithTLSAbyDANE).
![Page 16: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/16.jpg)
DANEVerified
Verified:128!!!
![Page 17: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/17.jpg)
Maildistribution
Mail Servers #DomainsHandled TLSState
google.com 125,422 Trusted
secureserver.net 35,759 SomeTrusted,somenoTLSatall
qq.com 11,254 NoTLS
Yandex.ru 9,268 Trusted
Ovh.net 8.531 MostTrusted, withredirectservershavingnoTLSatall
![Page 18: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/18.jpg)
Maildistribution
Mail Servers #DomainsHandled TLSState
Emailsrvr.com 8,262 Trusted
Zohomail.com 2.981 Trusted
Lolipop.jp 1.685 NoTLS
Kundenserver.de 2,834 Trusted
Gandi.net 2,200 Anonymous
![Page 19: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/19.jpg)
DNSSEC?DANE?
Noneofthese“big”mailservers(andtheirdomains)areDNSSECsigned(thatmeantnoDANEforthempossibleuptoJanuary2016).
![Page 20: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/20.jpg)
MalformedTLSArecord• WecreatedaTLSArecordwithabadhash(onecharacterchanged)
• Postfixfailedtoverifyitandrefusedtosendamessage
mx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted
![Page 21: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/21.jpg)
• Ofcourse,withwrongcertificatehashinTLSArecord(refusestosendmail)
• IfdomainwhereMXrecordresidesisnotDNSSECsigned(can’ttrustthedatainMX,sonoverification)
• IfTLSArecordpublishedinnon-DNSSECzone(can’ttrustthedatainTLSA,sonoverification)
WhendoDANEthingsfail?
![Page 22: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/22.jpg)
• go6lab.sizoneissigned,soismx.go6lab.si• thereisTLSAformx.go6lab.si,alsosigned• Domainsigned.si issignedandMXpointstomx.go6lab.si
• Domainnot-signed.si isnotsignedandMXpointstomx.go6lab.si
• [email protected] [email protected] (signed.si andnot-signed.si areusedjustasexamples)
Whendothingsfail?(example)
![Page 23: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/23.jpg)
[email protected] (signeddomain):
Verified TLSconnectionestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
[email protected] (notsigneddomain):
Anonymous TLSconnectionestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
Whendothingsfail?(example)
![Page 24: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/24.jpg)
• Let’strytopointMXrecordfromsigneddomaintoA/AAAArecordinnot-signeddomainwithTLSAthatisalsonotsigned(obviously)– mail.not-signed.si
[email protected] whenMXforsigned.sipointstomail.not-signed.si – DANEverificationisnotevenstartedaschainoftrustisbroken
WhendoDANEverificationalsofail?
![Page 25: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/25.jpg)
postfix-3.1-20160103/HISTORY:20160103
Feature:enableDANEpolicieswhenanMXhosthasasecureTLSADNSrecord,eveniftheMXDNSrecordwasobtainedwithinsecurelookups.TheexistenceofasecureTLSArecordimpliesthatthehostwantstotalkTLSandnotplaintext.Thisbehavioriscontrolledwithsmtp_tls_dane_insecure_mx_policy(default:"dane",othersettings:"encrypt"and"may";thelatterisbackwards-compatiblewithearlierPostfixreleases).ViktorDukhovni.
PostfiximprovementsJ
![Page 26: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/26.jpg)
Let’sEncrypt,DANEandmail• Let’sEncryptrecommendsusing‘211’and‘311’records• ValidityofLEcertis90days• Bydefaulttheunderlyingkeyischangedwhenrenewing• …soalsocerthashischanged• So,lot’sofworkifyouplantopublish311TLSA• usingthe‘211’methodleadstoanotherissue– namelylack
ofanDSTRootCAX3certificateinthefullchain.pem fileprovidedbytheLet’sEncryptclient
• SoweneedtofetchtheDSTRootCAX3certificateandaddittofullchain.pem fileandverifythatitdidnotchangefromprevioustimewerenewed…
![Page 27: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/27.jpg)
ScripttoaddDSTRootCAX3
lynx--sourcehttps://www.identrust.com/certificates/trustid/root-download-x3.html|grep -v"\/textarea"|awk '/textarea/{x=NR+18;next}(NR<=x){print}'|sed -e'1i-----BEGINCERTIFICATE-----\'|sed -e'$a-----ENDCERTIFICATE-----\'>>/etc/letsencrypt/live/mx.go6lab.si/fullchain.pem
![Page 28: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/28.jpg)
Valid311and211TLSArecords
![Page 29: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/29.jpg)
But…
• Atnextcertificaterenew,bydefaultunderlyingkeywillchangeand311TLSArecordwillbecomeinvalid…
• Laborwise,weneedtokeeptheunderlyingkeythroughtherenewals
• --csroptioninletsencrypt-autoclient• Indirecotry“examples”thereis“generate-csr.sh”file(letsencrypt branch)
![Page 30: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/30.jpg)
Stableunderlyingkey…
./generate-csr.sh mx.go6lab.siGeneratinga2048bitRSAprivatekey................+++..+++writingnewprivatekeyto'key.pem'-----Youcannowrun:letsencrypt auth --csr csr.der
![Page 31: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/31.jpg)
Renewalsandhashes…• Nowweareusingthesameunderlyingkeyforautomaticrenewalsofcertificate,sohashdoesnotchangeand311TLSArecordworks.
• We’llrotatetheunderlyingkeywhenwedecidetoandbeingdrivenbyhumanintervention(andalsochangetheTLSA).
• ./certbot-autocertonly --debug--renew-by-default-astandalone--csr ./mx.go6lab.si.der–keep
• Ofcourse,weaddDSTRootCAX3certificatetofullchain.pem
![Page 32: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/32.jpg)
![Page 33: DANE/DNSSEC/TLS Testing in the Go6lab - APRICOT 2017 · DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, Internet Society zorz@isoc.org. Acknowledgement I would like to thank Internet](https://reader030.vdocuments.us/reader030/viewer/2022040901/5e7244eb45596b1ec802684a/html5/thumbnails/33.jpg)
Morereading:
http://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-certificates-for-mail-servers-and-dane-part-1-of-2/
http://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/