diff --git a/README.md b/README.md new file mode 100644 index 0000000..ae6e0d7 --- /dev/null +++ b/README.md @@ -0,0 +1,41 @@ +# OVH DANE Companion + +> Untested code ahead! This was done in a rush and isn't tested! It *should* work, +> but I wouldn't be surprised if it breaks sometimes. + +## Aim + +I wanted to implement in a matter of a few days worth of free time a companion +container for my Let's Encrypt container. My certificates are generated by a +Docker container, and I wanted to deploy TLSA records automatically. + +DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a +MITM attacks. + +I also wanted to have a 100% score on internet.nl for my email server security, +and I got [it](https://internet.nl/mail/louis-vallat.xyz/671317/). + +## Rollover scheme + +There **isn't** any. I could add a "2 1 1" record using Let's Encrypt's root certificates, +but then I could just use permanently a "2 1 1" record and the "3 1 1" record would +be useless. + +As I used an external container to renew the certificates, I cannot modify the +renewal procedure, so I can't use the "current + next" rollover scheme. + +In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds. +In case of a key rollover, the TLSA records will be wrong for **at most** 2 minutes +(2 TTLs just to make sure), as long as some entity on the way doesn't keep the record +longer than the TTL specified (that can happen with lazy ISPs). TLSA records being +borked for 2 minutes once every few months shouldn't be an issue. + +Although this is not new, maybe a bit young (from 2012), this technology isn't +widely spread. + +## References and links + +- Article from Abyss Project: [link](https://www.abyssproject.net/2016/09/creer-utiliser-enregistrements-tlsa-dane/) +- Internet technologies tester: [link](https://internet.nl/) +- SMTP Protection HowTo: [link](https://github.com/internetstandards/toolbox-wiki) +- OVH API: [link](https://eu.api.ovh.com/)