2022-02-14 19:53:22 +01:00
|
|
|
# OVH DANE Companion
|
|
|
|
|
|
|
|
> Untested code ahead! This was done in a rush and isn't tested! It *should* work,
|
|
|
|
> but I wouldn't be surprised if it breaks sometimes.
|
|
|
|
|
|
|
|
## Aim
|
|
|
|
|
|
|
|
I wanted to implement in a matter of a few days worth of free time a companion
|
|
|
|
container for my Let's Encrypt container. My certificates are generated by a
|
|
|
|
Docker container, and I wanted to deploy TLSA records automatically.
|
|
|
|
|
|
|
|
DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a
|
|
|
|
MITM attacks.
|
|
|
|
|
|
|
|
I also wanted to have a 100% score on internet.nl for my email server security,
|
|
|
|
and I got [it](https://internet.nl/mail/louis-vallat.xyz/671317/).
|
|
|
|
|
|
|
|
## Rollover scheme
|
|
|
|
|
|
|
|
There **isn't** any. I could add a "2 1 1" record using Let's Encrypt's root certificates,
|
|
|
|
but then I could just use permanently a "2 1 1" record and the "3 1 1" record would
|
|
|
|
be useless.
|
|
|
|
|
|
|
|
As I used an external container to renew the certificates, I cannot modify the
|
|
|
|
renewal procedure, so I can't use the "current + next" rollover scheme.
|
|
|
|
|
|
|
|
In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds.
|
|
|
|
In case of a key rollover, the TLSA records will be wrong for **at most** 2 minutes
|
|
|
|
(2 TTLs just to make sure), as long as some entity on the way doesn't keep the record
|
|
|
|
longer than the TTL specified (that can happen with lazy ISPs). TLSA records being
|
|
|
|
borked for 2 minutes once every few months shouldn't be an issue.
|
|
|
|
|
|
|
|
Although this is not new, maybe a bit young (from 2012), this technology isn't
|
|
|
|
widely spread.
|
|
|
|
|
2022-02-14 19:56:53 +01:00
|
|
|
## Security addendum
|
|
|
|
|
|
|
|
Although it provides a bit more security, as it prevents MITM attacks from
|
|
|
|
downgrading your TLS (or disable it all together), I would ***strongly*** recommend
|
|
|
|
to send sensitive emails **only** using PGP encryption! Plain text emails are
|
|
|
|
privacy nightmares!
|
|
|
|
|
2022-02-14 19:53:22 +01:00
|
|
|
## References and links
|
|
|
|
|
|
|
|
- Article from Abyss Project: [link](https://www.abyssproject.net/2016/09/creer-utiliser-enregistrements-tlsa-dane/)
|
|
|
|
- Internet technologies tester: [link](https://internet.nl/)
|
|
|
|
- SMTP Protection HowTo: [link](https://github.com/internetstandards/toolbox-wiki)
|
|
|
|
- OVH API: [link](https://eu.api.ovh.com/)
|