[dane] Implementing DANE

Sirach Vassallo <sirach@vassallos.com> Thu, 20 March 2014 21:04 UTC

Return-Path: <sirach.vassallo@gmail.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC5D21A0753 for <dane@ietfa.amsl.com>; Thu, 20 Mar 2014 14:04:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.818
X-Spam-Level: *
X-Spam-Status: No, score=1.818 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URI_HEX=1.122] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bElq_vfrGO29 for <dane@ietfa.amsl.com>; Thu, 20 Mar 2014 14:04:49 -0700 (PDT)
Received: from mail-oa0-x232.google.com (mail-oa0-x232.google.com [IPv6:2607:f8b0:4003:c02::232]) by ietfa.amsl.com (Postfix) with ESMTP id BF3DA1A042C for <dane@ietf.org>; Thu, 20 Mar 2014 14:04:49 -0700 (PDT)
Received: by mail-oa0-f50.google.com with SMTP id i7so1613262oag.9 for <dane@ietf.org>; Thu, 20 Mar 2014 14:04:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:content-type; bh=+OkFi3d0CEOd8xO5Gqpvd28Z23AXYeRLaCTsLXo2jXc=; b=tLXRJJOVBkfR/K2zhGnT9y4gqnlG2boCCMtJy6VRBb7rXYY4+0odHAOD8ls+Rg8f7x sUx55XrSmWilTSxzUEEpzKkPVZ3mZKhzR39IKNGFFCSHuwwVqgGlXZBZHI/GbUbDYRTN atsnX0ZP5CdQ4T2HJShk4+5eb79D4JJAXNL7m9mHjJgbkFbQyySGCdgPbd9pJADH95ee Xy7WfooZO6grNKxPuiYuEhNz40Fehf311lUcTpQHOM38AWvxz/lLtrNRmAP4i1IWJ2d9 r2O0R3iEt3357uhsbOf52P/VXBTVWx0+pnZyYSHH8Sd4pVk5wLZjSMr2G8E8dO14RpD/ DXpw==
X-Received: by 10.60.98.139 with SMTP id ei11mr444358oeb.43.1395349480483; Thu, 20 Mar 2014 14:04:40 -0700 (PDT)
MIME-Version: 1.0
Sender: sirach.vassallo@gmail.com
Received: by 10.76.151.202 with HTTP; Thu, 20 Mar 2014 14:04:00 -0700 (PDT)
From: Sirach Vassallo <sirach@vassallos.com>
Date: Thu, 20 Mar 2014 22:04:00 +0100
X-Google-Sender-Auth: KJikDYRm8pLNRSqknwmzijXPBDw
Message-ID: <CANRt=+C-WztWrtvizS4Q+P5nk1Z91rQtEgLr439dk0vA7_BOaQ@mail.gmail.com>
To: dane@ietf.org
Content-Type: multipart/mixed; boundary=089e0122991c1f9a1a04f5101e94
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/O_WhcCobIvNrJegrQUailblvWdo
Subject: [dane] Implementing DANE
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 21:04:52 -0000

Dear Sir/madam,

My name is Sirach Vassallo and I am reading a B.Sc. Degree in Computer
Networks. As for my thesis, I am researching the DANE protocol. My research
includes the Limitations of PKI, DNSSEC and DANE as an alternative to PKI.

Part of my thesis includes the implementation of such protocol. However, I
am having a problem when it comes to TLSA validation by clients. Please, I
would like to ask some questions so that I may continue with my research. I
would really appreciate someone's help!


I have implemented DNSSEC for my domain: danetest.com. I am using BIND
9.9.5 on Ubuntu Desktop 12.04 LTS. I am using zonesigner from the
DNSSEC-Tools to sign my zone.

I have one primary DNS server and one Slave - both Ubuntu 12.04. I also
have another server (Windows Server 2012) running IIS 8 with 2 websites
verified.danetest.com and broken.danetest.com. I created self-signed
certificates for each of these websites and I am making use of SNI for
mapping these certificates to the correct hostname.

As for the client, I am using the DNSSEC/TLSA Validator extension on
Firefox (https://www.dnssec-validator.cz/) on Mac OS X 10.9.2.

I am attaching with this email the *db.danetest.com
<http://db.danetest.com>* and* db.danetest.com.signed* configuration files.

This is my TLSA record for verified.danetest.com

_443._tcp.verified.danetest.com. IN TLSA 3 0 1 (
baf3515d2695e25a2e4e850d909b4a446cdb7de3df2dfc116d36bb4afd94f99c )

I am generating the TLSA record by using this online tool:
https://www.huque.com/bin/gen_tlsa.
As the online tool requires a PEM format of the certificate, I am
converting the .pfx (created from IIs) to .pem using openSSL.

My question is, am I implementing the TLSA RR correctly? Since the client
extension is saying that the name verification is failing.

Should the Usage, Selector and Matching type fields be in number bits or
words as listed in the draft: draft-ietf-dane-ops-03 ?

Also, does the TLSA record needs to be inserted into the signed zone file?
or the normal unsigned conf file? I tried both, however, when using the IN
TLSA DANE-TA Cert SHA2-256 format instead of numbers, the zonesigner daemon
gave me an error saying that the format is not supported.

I would really appreciate your help. Thank you in advance, and hope to hear
from you soon.

Regards,


Sirach Vassallo

m. 00 356 99491210
e.  sirach@vassallos.com