IETF Logo Mail Archive

Re: [dane] List of incidents that DANE would have blocked?

Rene Bartsch <ietf@bartschnet.de> Fri, 03 October 2014 09:38 UTC

Return-Path: <ietf@bartschnet.de>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4D881AD009 for <dane@ietfa.amsl.com>; Fri, 3 Oct 2014 02:38:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.948
X-Spam-Level:
X-Spam-Status: No, score=0.948 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_DE=0.35, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UKjq444vCVU for <dane@ietfa.amsl.com>; Fri, 3 Oct 2014 02:38:38 -0700 (PDT)
Received: from triangulum.uberspace.de (triangulum.uberspace.de [95.143.172.227]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF1131A0233 for <dane@ietf.org>; Fri, 3 Oct 2014 02:38:37 -0700 (PDT)
Received: (qmail 4659 invoked from network); 3 Oct 2014 09:38:34 -0000
Received: from localhost (HELO www.bartschnet.de) (127.0.0.1) by triangulum.uberspace.de with SMTP; 3 Oct 2014 09:38:34 -0000
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Fri, 03 Oct 2014 11:38:33 +0200
From: Rene Bartsch <ietf@bartschnet.de>
To: IETF DANE Mailinglist <dane@ietf.org>
In-Reply-To: <DD18BA26-107D-4584-ACDE-131DD3D45AE6@mac.com>
References: <DD18BA26-107D-4584-ACDE-131DD3D45AE6@mac.com>
Message-ID: <570ff050aaf87884e5d2d81a2f6ecf2a@triangulum.uberspace.de>
X-Sender: ietf@bartschnet.de
User-Agent: Roundcube Webmail/1.0.1
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/1x_WE_-KQ0cObSQnpkWRvVjPdzc
Subject: Re: [dane] List of incidents that DANE would have blocked?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Oct 2014 09:38:39 -0000

Am 2014-10-01 18:37, schrieb William Stouder-Studenmund:
> I learned about DANE recently and was excitedly talking to some
> operations friends of mine about it. Some of them work in shops that
> aren’t using DNSSEC yet, and DANE’s requirement of it would trigger
> push-back from management.

Primary nameservers like BIND or PowerDNS generate DNSSEC-resource 
records automagically. All you need to do is to handover your DSKEY/ZSK 
to your domain registry periodically. Usually you just have to 
Copy&Paste the new keys into your registrar's web-interface per quarter, 
half-year or year. Even my private domains are secured with DNSSEC/DANE 
by using a DNS-operator with managed DNSSEC. I only generate the 
TLSA-RRs myself when I change the TLS-certs every two years.

As a quick-start I suggest to use Shumon Huque's web-generator for 
TLSA-RRs (https://www.huque.com/bin/gen_tlsa). To reduce effort of 
changing TLSA-RRs when changing the TLS-certificate you can use CNAMES 
and wildcard-RRs pointing to ONE single TLSA-RR. For client-side I 
suggest a warning message in your shops to encourage users to install 
the CZNIC DNSSEC/TLSA Validator web browser add-on 
(https://www.dnssec-validator.cz/).


Renne


-- 
Best regards,

Rene Bartsch, B. Sc. Informatics

v2.23.0 | Report a Bug | By Email