Use DNSSEC for secure connections

From my understanding DNSSEC allows me to create a public key and sign my DNS records. There appears to be multiple ways to have a certificate record (such as DANE see https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Embedding_Certificate_Information_in_DNS)

I'm not exactly sure how this works. I'm guessing these steps. Is this correct?

  • Create a public/private key pair
  • Put the public key into a DNS record (DS I believe)
  • Sign my dns records
  • Create a public/private key for my server
  • Create a certificate
  • Sign the certificate using the DNS private key
  • Put the certificate in the DNS!?!?!
  • Put the certificate on my server and use it the typical way?

I feel like I got something wrong and that Mozilla link mentions not all records would be supported so which is currently well supported (lets say firefox, chrome, IOS and android) and what record am I using for what I describe? DANE? CAA?


Solution 1:

DNSSEC and DANE are separate things but DNSSEC is a prerequisite to using DANE.

DNSSEC specifically allows for validation that the received DNS data is authentic, nothing more.

Making use of DNSSEC would mean to generate DNSSEC keys, signing your zone (which would result in publishing the public keys as DNSKEY records, adding RRSIG/NSEC/NSEC3 records based on your actual zone data, etc), making the delegation signed by having the registrar add a DS record (which identifies the valid key that you have published in the delegated zone) along with normal NS / glue records.

Making use of DANE essentially comes down to adding a TLSA record like the following in the DNSSEC-signed zone:

_443._tcp.example.com. IN TLSA tlsa-parameters-identifying-the-valid-certificate

(You may want to use tlsa(1) from hash-slinger to generate this record)

The DANE-aware HTTPS client (in this example) would then know that they are connecting to port 443/tcp on example.com and would then look up _443._tcp.example.com. IN TLSA, validate the authenticity of the DNS data and then, in turn, use that data to validate the certificate presented in the TLS connection.