Use DNSSEC for secure connections

certificate ssl-certificate dnssec

From my understanding DNSSEC allows me to create a public key and sign my DNS records. There appears to be multiple ways to have a certificate record (such as DANE see https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Embedding_Certificate_Information_in_DNS)

I'm not exactly sure how this works. I'm guessing these steps. Is this correct?

  • Create a public/private key pair
  • Put the public key into a DNS record (DS I believe)
  • Sign my dns records
  • Create a public/private key for my server
  • Create a certificate
  • Sign the certificate using the DNS private key
  • Put the certificate in the DNS!?!?!
  • Put the certificate on my server and use it the typical way?

I feel like I got something wrong and that Mozilla link mentions not all records would be supported so which is currently well supported (lets say firefox, chrome, IOS and android) and what record am I using for what I describe? DANE? CAA?


Solution 1:

DNSSEC and DANE are separate things but DNSSEC is a prerequisite to using DANE.

DNSSEC specifically allows for validation that the received DNS data is authentic, nothing more.

Making use of DNSSEC would mean to generate DNSSEC keys, signing your zone (which would result in publishing the public keys as DNSKEY records, adding RRSIG/NSEC/NSEC3 records based on your actual zone data, etc), making the delegation signed by having the registrar add a DS record (which identifies the valid key that you have published in the delegated zone) along with normal NS / glue records.

Making use of DANE essentially comes down to adding a TLSA record like the following in the DNSSEC-signed zone:

_443._tcp.example.com. IN TLSA tlsa-parameters-identifying-the-valid-certificate

(You may want to use tlsa(1) from hash-slinger to generate this record)

The DANE-aware HTTPS client (in this example) would then know that they are connecting to port 443/tcp on example.com and would then look up _443._tcp.example.com. IN TLSA, validate the authenticity of the DNS data and then, in turn, use that data to validate the certificate presented in the TLS connection.

Related

Can someone explain the important differences between fabric, point to point, and loop on a fibre san?
puppet: how to submit command "yum update" to all agents?
User account was locked out from exchange server - how to prevent in future?
How does Outlook automatically determine mail server details?
debian wheezy, heartbleed, openssl refuses to update
Is there a streamlined way to export settings from an existing CentOS 5.10 server for local Vagrant provisioning? (Puppet, Chef, shell, or otherwise)
How can i access multiple object in a nested array and push them all at the same time using Vue?
docker-compose not honoring CPU limits
Reset Keyboard Preferences
Touchscreen on HP Envy x360 is not working with 18.04
Laravel TDD assertSee returns true on NULL object
Best practice for shared directory on server (samba windows 10 clients)