|
|
||
|---|---|---|
| src | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| Cargo.toml | ||
| Dockerfile | ||
| LICENSE | ||
| README.md | ||
OVH DANE Companion
Untested code ahead! This was done in a rush and isn't tested! It should work, but I wouldn't be surprised if it breaks sometimes.
Aim
I wanted to implement in a matter of a few days worth of free time a companion container for my Let's Encrypt container. My certificates are generated by a Docker container, and I wanted to deploy TLSA records automatically.
DANE and TLSA records are used to avoid TLS downgrade attacks, such as during a MITM attacks.
I also wanted to have a 100% score on internet.nl for my email server security, and I got it.
Rollover scheme
There isn't any. I could add a "2 1 1" record using Let's Encrypt's root certificates, but then I could just use permanently a "2 1 1" record and the "3 1 1" record would be useless.
As I used an external container to renew the certificates, I cannot modify the renewal procedure, so I can't use the "current + next" rollover scheme.
In compensation, I set the TLSA TLLs as the lowest my DNS provider allows: 60 seconds. In case of a key rollover, the TLSA records will be wrong for at most 2 minutes (2 TTLs just to make sure), as long as some entity on the way doesn't keep the record longer than the TTL specified (that can happen with lazy ISPs). TLSA records being borked for 2 minutes once every few months shouldn't be an issue.
Although this is not new, maybe a bit young (from 2012), this technology isn't widely spread.
Security addendum
Although it provides a bit more security, as it prevents MITM attacks from downgrading your TLS (or disable it all together), I would strongly recommend to send sensitive emails only using PGP encryption! Plain text emails are privacy nightmares!