ovh-dane-companion/README.md

49 lines
2.1 KiB
Markdown
Raw Permalink Normal View History

# OVH DANE Companion
> Untested code ahead! This was done in a rush and isn't tested! It *should* work,
> but I wouldn't be surprised if it breaks sometimes.
## Aim
I wanted to implement in a matter of a few days worth of free time a companion
container for my Let's Encrypt container. My certificates are generated by a
Docker container, and I wanted to deploy TLSA records automatically.
DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a
MITM attacks.
I also wanted to have a 100% score on internet.nl for my email server security,
and I got [it](https://internet.nl/mail/louis-vallat.xyz/671317/).
## Rollover scheme
There **isn't** any. I could add a "2 1 1" record using Let's Encrypt's root certificates,
but then I could just use permanently a "2 1 1" record and the "3 1 1" record would
be useless.
As I used an external container to renew the certificates, I cannot modify the
renewal procedure, so I can't use the "current + next" rollover scheme.
In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds.
In case of a key rollover, the TLSA records will be wrong for **at most** 2 minutes
(2 TTLs just to make sure), as long as some entity on the way doesn't keep the record
longer than the TTL specified (that can happen with lazy ISPs). TLSA records being
borked for 2 minutes once every few months shouldn't be an issue.
Although this is not new, maybe a bit young (from 2012), this technology isn't
widely spread.
## Security addendum
Although it provides a bit more security, as it prevents MITM attacks from
downgrading your TLS (or disable it all together), I would ***strongly*** recommend
to send sensitive emails **only** using PGP encryption! Plain text emails are
privacy nightmares!
## References and links
- Article from Abyss Project: [link](https://www.abyssproject.net/2016/09/creer-utiliser-enregistrements-tlsa-dane/)
- Internet technologies tester: [link](https://internet.nl/)
- SMTP Protection HowTo: [link](https://github.com/internetstandards/toolbox-wiki)
- OVH API: [link](https://eu.api.ovh.com/)