Added README
Signed-off-by: Louis Vallat <louis@louis-vallat.xyz>
This commit is contained in:
parent
d430584f4d
commit
3c1f7c7496
41
README.md
Normal file
41
README.md
Normal file
@ -0,0 +1,41 @@
|
||||
# OVH DANE Companion
|
||||
|
||||
> Untested code ahead! This was done in a rush and isn't tested! It *should* work,
|
||||
> but I wouldn't be surprised if it breaks sometimes.
|
||||
|
||||
## Aim
|
||||
|
||||
I wanted to implement in a matter of a few days worth of free time a companion
|
||||
container for my Let's Encrypt container. My certificates are generated by a
|
||||
Docker container, and I wanted to deploy TLSA records automatically.
|
||||
|
||||
DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a
|
||||
MITM attacks.
|
||||
|
||||
I also wanted to have a 100% score on internet.nl for my email server security,
|
||||
and I got [it](https://internet.nl/mail/louis-vallat.xyz/671317/).
|
||||
|
||||
## Rollover scheme
|
||||
|
||||
There **isn't** any. I could add a "2 1 1" record using Let's Encrypt's root certificates,
|
||||
but then I could just use permanently a "2 1 1" record and the "3 1 1" record would
|
||||
be useless.
|
||||
|
||||
As I used an external container to renew the certificates, I cannot modify the
|
||||
renewal procedure, so I can't use the "current + next" rollover scheme.
|
||||
|
||||
In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds.
|
||||
In case of a key rollover, the TLSA records will be wrong for **at most** 2 minutes
|
||||
(2 TTLs just to make sure), as long as some entity on the way doesn't keep the record
|
||||
longer than the TTL specified (that can happen with lazy ISPs). TLSA records being
|
||||
borked for 2 minutes once every few months shouldn't be an issue.
|
||||
|
||||
Although this is not new, maybe a bit young (from 2012), this technology isn't
|
||||
widely spread.
|
||||
|
||||
## References and links
|
||||
|
||||
- Article from Abyss Project: [link](https://www.abyssproject.net/2016/09/creer-utiliser-enregistrements-tlsa-dane/)
|
||||
- Internet technologies tester: [link](https://internet.nl/)
|
||||
- SMTP Protection HowTo: [link](https://github.com/internetstandards/toolbox-wiki)
|
||||
- OVH API: [link](https://eu.api.ovh.com/)
|
Loading…
Reference in New Issue
Block a user