Allow users to add (create as well) DNS TLSA RR record (for HTTPS) in Custom DNS section if not AUTOMATED

box · October 8, 2017, 6:39pm

HI,

I have managed to get for most of my domains DNSSEC setup
This may help if you looking to get DNSSEC setup
https://www.icann.org/resources/pages/deployment-2012-02-25-en
And would like to set TLSA record for the OTHER domains that have in MIAB
as box.domain.name already has TLSA record, but all the additional domains added
to MIAB

AND

domain.name/mail have not got TLSA record set.

box · October 8, 2017, 7:58pm

Am I right that the reason DNS TLSA RR for secondary domains is not implemented is that because the Let’s Encrypt certs change every 90 days and there would have to mechanism build in to renewing the DNS TLSA RR every 90 days as well?

box · October 8, 2017, 8:35pm

Could someone explain to me HOW could I manually add
(I know I may have to generate the DNS TLSA RR when Let’s Encrypt certs are renewed)
the TLSA Record for the secondary domain onto the MIAB install please?

I have found how to generated them
openssl s_client -showcerts -connect debian.org:443 -servername debian.org < /dev/null | openssl x509 -outform PEM
https://joscor.com/blog/dane-tlsa-tutorial/
https://www.huque.com/bin/gen_tlsa

but not sure where to enter the TLSA Record generated by the website.

If I add the TLSA Records for secondary domains etc., would that break anything on the MIAB?

JoshData · October 8, 2017, 10:00pm

We don’t create them because TLSA records would have no effect for secondary domains. They are only used on the MX domain.

box · October 8, 2017, 10:19pm

Fair point, but if I wanted to have TLSA records for secondary … domains can I create it myself?
Could someone point me the right direction how to generated and store the record on MIAB?

Just found this:
https://blog.mathieui.net/dane.html

Tried this and as expected fail on secondary domains:
ldns-dane verify box.domain.name 443
ldns-dane verify myname.domain 443

And got for box.domain.name
15.2.15.3 dane-validated successfully
2a01:1:1:1::11 dane-validated successfully

And this for secondary domain:
Warning! No TLSA records for _443._tcp.myname.domain. were found.
PKIX validation without DANE will be performed.
15.2.15.3 did not dane-validate, because: Could not PKIX validate
2a01:1:1:1::11 did not dane-validate, because: Could not PKIX validate

So is it as simple as executing? I do not want to break the box
ldns-dane create domain.name 443 3 0 2

box · October 9, 2017, 8:20am

Would creating “DNS TLSA RR” manually break anything in the MIAB?

JoshData · October 9, 2017, 11:33am

Oh sorry you’re talking about TLSA records for HTTPS, rather than for SMTP. Well, yes, they would need to be updated whenever the TLS certificate changes, which with Lets Encrypt would be every few months. But the reason we don’t create them is that no web browser checks them.

I don’t think the box will let you set it, but if you manage to set it correctly - it’s fine, it won’t interfere with anything.

box · October 9, 2017, 11:58am

Yes, I am talking about DNS TLSA RR for HTTPS as per my previous post over here

You are right at the moment browsers do not check it, but there is a add-on “DNSSEC/TLSA Validator” for (Firefox not currently working on v 57+, Internet Explorer (IE), Mozilla Firefox (MF) , Google Chrome/Chromium (GC), Opera (OP), Apple Safari (AS) are supported.) that will check both the DNSSEC and TLSA records of the domain you viewing in your web browser.

So when I run System → Status Checks I am notified with the message:
“This domain’s DNSSEC DS record is not set. The DS record is optional. The DS record activates DNSSEC. To set a DS record, you must follow the instructions provided by your domain name registrar”.

I know this is optional, but if you have an option to set DNSSEC for all the domain names and added to MIAB, would it make sense since the DNS TLSA RR for HTTPS is here to implement it in MIAB as well as on optional extra?

Would it need a loot of work to implement the DNS TLSA RR for HTTPS in System → Status Checks page?

Or would it be possible to make it available in Custom DNS section as a “TLSA” Type along the A, AAAA, CAA, CNAME, TXT, MX, SRV, SSHFT and NS for those who would like to set it up?

If it is not feasible, can someone at lease help me to implement in my set-up correctly for the HTTPS please?

JoshData · October 9, 2017, 1:07pm

It is more work to implement and maintain than I have time for.

I’ll be happy to accept a pull request that adds it, but only if it includes good validation of the user input (otherwise with invalid input the DNS server will stop working).

box · October 10, 2017, 7:50am

This is beyond my skill set at the moment, but would there be someone over here that could help me learn/point me how to do it?

WHat do you think would be best? Have it as a “Custom DNS” in Advanced Pages option “TLSA” record to manually add it to DNS server?

Or being implemented in the setup process like it is now being generated for box.domain.name SMTP but works on HTTPS as well?

box · October 10, 2017, 10:04pm

How about building on top of what is already there and works for SMTP/HTTPS as well:

“The DANE TLSA record for incoming mail is correct (_25._tcp.box.domain.name).”

system · December 8, 2017, 6:39pm

This topic was automatically closed after 61 days. New replies are no longer allowed.