On 09/24/2013 12:06 PM, Petr Spacek wrote:
> On 24.9.2013 19:23, Erinn Looney-Triggs wrote:
>> I wanted to bring up the idea of integrating TLSA records into FreeIPA
>> so that a host that is issued a certificate for say the web server (via
>> dogtag) would also publish that information in DNS using a TLSA record.
>> This is very much like how SSHFP records are handled now in FreeIPA.
>> Has this been considered at all?
>> I am more than happy to write up some more info about this, I just
>> wanted to get a preliminary idea of whether this had been considered at
>> all...
> You definitely have my +1!
> I'm working on DNSSEC support in FreeIPA, but we didn't went so far in
> our plans :-)
> Please create RFE ticket (request for enhancement):
> https://fedorahosted.org/freeipa/newticket
> You will need an Fedora Account, please follow this:
> https://fedoraproject.org/wiki/Account_System/NewAccount
> I would recommend you to add your e-mail address to Cc field in the
> ticket to get latest updates.
> We can continue with discussion here, of course!

Ok well here is my vision for this:

I believe you folks are building a web and cli based interface via IPA
into dogtag. This would tie into that and have something like a check
box to publish the certificate hash in DNS. Again this is much like
SSHFP records.

I don't believe you would want all certificates published via TLSA so it
should probably be optional. As well, the certificates would have to
have a "purpose" by which I mean a way of differentiating between one
for a web server and one for say SMTP. This may tie in with the X509
constraints but I am not sure on that front.

A TLSA record looks much like a SRV record, to wit:
_443._tcp.www.abaqis.com. IN TLSA 3 0 1

So clearly with the port numbers etc included in there, there would need
to be a way to mark a certificate as a web certificate etc.

The certificate hashes would also of course need to be updated as the
certificates are renewed. This may require a tie in to certmonger,
though I suspect not.

This would be a "very good thing" as TLSA will eventually allow us to
circumvent the extremely broken trust model we have with current CAs and
FreeIPA looks like a wonderful candidate place to automate exactly this.

TLSA is not very useful without DNSSEC, which you folks are currently
BIND >= 9.7.6 though earlier versions can use TLSA records this was the
version that implemented native handling.

Use cases:
Honestly at this point there are not a whole lot of programs that can
utilize TLSA. The only notable exception that I know of is postfix,
which will use TLSA natively if configured to do so (thus alleviating
the cottage industry of self signed certificates for smtp server).
Documentation here: http://www.postfix.org/TLS_README.html#client_tls_dane

There is also a plugin for firefox that will validate TLSA:

A nice primer on TLSA:

A program for creating hashes:

And a bit of an article on its use:

And finally a link to the RFE:


Attachment: signature.asc
Description: OpenPGP digital signature

Freeipa-users mailing list

Reply via email to