Post on 31-Jan-2018
DANE/DNSSEC/TLSTes-ngintheGo6lab
JanŽorž,ISOC/Go6Ins-tute,Slovenia
jan@go6.sizorz@isoc.org
Acknowledgement
IwouldliketothankInternetSocietytoletmespendsomeofmyISOCworking-meingo6labandtestallthisnewandexci-ngprotocolsandmechanismsthatmakesInternetabitbeOerandmoresecureplace…
DNSSECimplementa-oningo6lab
• Powerdnsserver(usedasprimaryfornon-signeddomains)as“hidden”primaryDNSserver
• OpenDNSSECplaWormforsigningdomains
• BIND9DNSserversassecondariestoOpenDNSSECtoservesignedzones
• Virtualiza-onused:PROXMOX3.4
• OStemplates:fedora-20,Centos6/7
DNSSECimplementa-oningo6lab
• “Bumpinawire”• Twopublic“primary”servers
• Concept:
DNSSECingo6lab
• Thatwasfairlyeasyanditworksverywell.• Implementa-ondocumentusedfromMaOhijsMekking:
hOp://go6.si/docs/opendnssec-start-guide-drad.pdf
DANEexperiment
• WhenDNSSECwassetupandfunc-oningwestartedtoexperimentwithDANE(DNSAuthen-catedNameEn--es).
• Requirements:– DNSSECsigneddomains– PosWixserverwithTLSsupport>2.11
• WedecidedonPosWix3.0.1
DANE
• TLSArecordformx.go6lab.si
_25._tcp.mx.go6lab.si.INTLSA301B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC25908DA05E2A84748EDIt’sbasicallyahashofTLScer-ficateonmx.go6lab.siMoreaboutDANE:hOp://www.internetsociety.org/deploy360/resources/dane/
WhatisDANEandhowdoesitwork
DANEverifica-on
• Mx.go6lab.siwasabletoverifyTLScerttoT-2mailserverandnlnet-labsandsomeothers…
mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
PosWixconfigsmtpd_use_tls=yessmtpd_tls_security_level=maysmtpd_tls_key_file=/etc/posWix/ssl/server.pemsmtpd_tls_cert_file=/etc/posWix/ssl/server.pemsmtpd_tls_auth_only=nosmtpd_tls_loglevel=1smtpd_tls_received_header=yessmtpd_tls_session_cache_-meout=3600ssmtp_tls_security_level=danesmtp_use_tls=yessmtp_tls_note_starOls_offer=yessmtp_tls_loglevel=1tls_random_exchange_name=/var/run/prng_exchtls_random_source=dev:/dev/urandomtls_smtp_use_tls=yes
MalformedTLSArecord
• WecreatedaTLSArecordwithabadhash(onecharacterchanged)
• PosWixfailedtoverifyitandrefusedtosendamessagemx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted
1MtopAlexadomainsandDANE
• Wefetchedtop1millionAlexadomainsandcreatedascriptthatsentanemailtoeachofthem(test-dnssec-dane@[domain])
• Adersometweakingofthescriptwegotsomegoodresults
• Thenwebuiltascriptthatparsedmaillogfileandherearetheresults:
Results
• Outof1milliondomains,992,232ofthemhadMXrecordandmailserver.
• Nearly70%(687,897)ofallaOemptedSMTPsessionstoAlexatop1milliondomainsMXrecordswereencryptedwithTLS
• MajorityofTLSconnec-ons(60%)wereestablishedwithtrustedcer-ficate
• 1,382connec-onswhereremotemailserverannouncedTLScapabilityfailedwith"CannotstartTLS:handshakefailure"
Moreresults
TLSestablishedconnec-onsra-osare:Anonymous:109.753Untrusted:167.063Trusted:410.953Verified:128Quickguide:Anonymous(opportunis-cTLSwithnosignature),Untrusted(peercer-ficatenotsignedbytrustedCA),Trusted(peercer-ficatesignedbytrustedCA)andVerified(verifiedwithTLSAbyDANE).
DANEVerified
Verified:128!!!
Maildistribu-on
MailServers #DomainsHandled TLSState
google.com 125,422 Trusted
secureserver.net 35,759 SomeTrusted,somenoTLSatall
qq.com 11,254 NoTLS
Yandex.ru 9,268 Trusted
Ovh.net 8.531 MostTrusted,withredirectservershavingnoTLSatall
Maildistribu-on
MailServers #DomainsHandled TLSState
Emailsrvr.com 8,262 Trusted
Zohomail.com 2.981 Trusted
Lolipop.jp 1.685 NoTLS
Kundenserver.de 2,834 Trusted
Gandi.net 2,200 Anonymous
DNSSEC?DANE?
Noneofthese“big”mailservers(andtheirdomains)areDNSSECsigned(thatmeantnoDANEforthempossibleuptoJanuary2016).
• Ofcourse,withwrongcer-ficatehashinTLSArecord(refusestosendmail)
• IfdomainwhereMXrecordresidesisnotDNSSECsigned(can’ttrustthedatainMX,sonoverifica-on)
• IfTLSArecordpublishedinnon-DNSSECzone(can’ttrustthedatainTLSA,sonoverifica-on)
WhendoDANEthingsfail?
• go6lab.sizoneissigned,soismx.go6lab.si• thereisTLSAformx.go6lab.si,alsosigned
• Domainsigned.siissignedandMXpointstomx.go6lab.si
• Domainnot-signed.siisnotsignedandMXpointstomx.go6lab.si
• Wesendemailtojan@signed.siandjan@not-signed.si(signed.siandnot-signed.siareusedjustasexamples)
Whendothingsfail?(example)
WhenIsendemailtojan@signed.si(signeddomain):VerifiedTLSconnec-onestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:WhenIsendemailtojan@not-signed.si(notsigneddomain):AnonymousTLSconnec-onestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
Whendothingsfail?(example)
• Let’strytopointMXrecordfromsigneddomaintoA/AAAArecordinnot-signeddomainwithTLSAthatisalsonotsigned(obviously)–mail.not-signed.si
Sendmailtojan@signed.siwhenMXforsigned.sipointstomail.not-signed.si–DANEverifica-onisnotevenstartedaschainoftrustisbroken
WhendoDANEverifica-onalsofail?
posWix-3.1-20160103/HISTORY:
20160103
Feature:enableDANEpolicieswhenanMXhosthasasecure
TLSADNSrecord,eveniftheMXDNSrecordwasobtained
withinsecurelookups.TheexistenceofasecureTLSArecord
impliesthatthehostwantstotalkTLSandnotplaintext.Thisbehavioriscontrolledwithsmtp_tls_dane_insecure_mx_policy
(default:"dane",otherse~ngs:"encrypt"and"may";the
laOerisbackwards-compa-blewithearlierPosWixreleases).
ViktorDukhovni.
PosWixlatestimprovementsJ
Let’sEncrypt,DANEandmail
• Let’sEncryptrecommendsusing‘211’and‘311’records• ValidityofLEcertis90days• Bydefaulttheunderlyingkeyischangedwhenrenewing• …soalsocerthashischanged• So,lot’sofworkifyouplantopublish311TLSA• usingthe‘211’methodleadstoanotherissue–namelylack
ofanDSTRootCAX3cer-ficateinthefullchain.pemfileprovidedbytheLet’sEncryptclient
• SoweneedtofetchtheDSTRootCAX3cer-ficateandaddittofullchain.pemfileandverifythatitdidnotchangefromprevious-mewerenewed…
ScripttoaddDSTRootCAX3
lynx--sourcehOps://www.identrust.com/cer-ficates/trus-d/root-download-x3.html|grep-v"\/textarea"|awk'/textarea/{x=NR+18;next}(NR<=x){print}'|sed-e'1i-----BEGINCERTIFICATE-----\'|sed-e'$a-----ENDCERTIFICATE-----\'>>/etc/letsencrypt/live/mx.go6lab.si/fullchain.pem
Valid311and211TLSArecords
But…
• Atnextcer-ficaterenew,bydefaultunderlyingkeywillchangeand311TLSArecordwillbecomeinvalid…
• Laborwise,weneedtokeeptheunderlyingkeythroughtherenewals
• --csrop-oninletsencrypt-autoclient• Indirecotry“examples”thereis“generate-csr.sh”file
Stableunderlyingkey…
./generate-csr.shmx.go6lab.siGenera-nga2048bitRSAprivatekey
................+++
..+++
wri-ngnewprivatekeyto'key.pem'
-----
Youcannowrun:letsencryptauth--csrcsr.der
Renewalsandhashes…• Nowweareusingthesameunderlyingkeyforautoma-crenewalsofcer-ficate,sohashdoesnotchangeand311TLSArecordworks.
• We’llrotatetheunderlyingkeywhenwedecidetoandbeingdrivenbyhumaninterven-on(andalsochangetheTLSA).
• ./letsencrypt-autocertonly-t--debug--renew-astandalone--csr./mx.go6lab.si.der–keep
• Ofcourse,weaddDSTRootCAX3cer-ficatetofullchain.pem
Morereading:
hOp://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-cer-ficates-for-mail-servers-and-dane-part-1-of-2/
hOp://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-cer-ficates-for-mail-servers-and-dane-part-2-of-2/
Conclusions
• 70%ofemailcanbeencryptedinsomeway,youjustneedtoenableTLSonyourserver
• LownumberofDNSSECsigneddomains/servers
• EvenlowernumberofDANE/TLSAverifiedservers/connec-ons
• It’seasy,goanddoit–it’snottheendoftheworldandithelpswithverifyingwhoareyousendingemailsto–andviceversa;)
ConclusionsII.
• DANEverifica-onfailed(orwasaborted)ifDNSSECchainoftrustisnotfullyestablishedandcompletealongthewholeway.
• TLSAinnot-signedDNSzoneswouldnothelpyoumuchpreven-ngyourcorrespondentssendingemailstoserver-in-the-middle(ifyouarenotrunninglatestbleedingedgedevelopmentversionofPosWix)
• DNSSEC/DANEiseasy,butpleaseunderstandwhatareyoudoingbeforeimplemen-ngitinproduc-on…
Q&A
Ques-ons?Protests?Sugges-ons?Complaints?
jan@go6.si
zorz@isoc.org