Re: DNSSEC - DANE

Tue, 30 Dec 2014 21:25:07 -0800 

On 12/30/2014 11:19 PM, Viktor Dukhovni wrote:

On Tue, Dec 30, 2014 at 07:47:24PM -0500, John wrote:


I have setup my DNS server for DNSSEC + DANE. I am using inline signing on
Bind9 and it appears to be working for HTTPS access.
I have a minor problem with key rolling, it seems to be a rather cumbersome
process at the moment, but I suspect that it is me rather than the process.

Having got it working for HTTPS, I felt that I could move on to implementing
it for SMTP (Postfix).

For inbound DANE TLS you're all set.  My work-in-progress danecli
shows:

     $ danecli -mg klam.ca
     klam.ca. IN MX 10 smtp.klam.ca. ; NOERROR AD=1 1/0 1/0/1
     smtp.klam.ca. IN A 74.116.186.178 ; passed
     _25._tcp.smtp.klam.ca. IN TLSA 3 0 1 
5bf12300255d1475ae43677b7062ab8964ca097ee6096cd005115b8c974e83ab ; passed at 
depth=0
     smtp.klam.ca. IN AAAA 2001:470:b183:10:0:0:0:178 ; connerr: Connection 
timed out

Which means that smtp.klam.ca has a working TLSA RRset, but perhaps
has IPv6 connectivity issues.

As for key rotation, see:

     https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.1
     https://tools.ietf.org/draft-ietf-dane-ops-07#section-8.4


smtp_use_tls = yes

This is obsolete, superseded by smtp_tls_security_level below:


smtp_tls_security_level = dane

And likewise:


smtpd_use_tls = yes
smtpd_tls_security_level = may
Just so I get this right "/smtpd_tls_security_level = dane/" is acceptable, I ask because I did not find this in the postfix docs. 
Do I also need "smtpd_dns_support_level = dnssec"
answered my own ? postconf tosses out smtpd...= dnssec and accepts smtpd...= dane. 
Are there any other gotchas that I should be aware of.

Thank you very much for the the test.
Yes I have a intermittent IPv6 problem - my ISP. To get IPv6 connectivity I have to use HE.net tunnel broker as my ISP is/thinking/ about IPv6. I suspect that as they are resellers for Bell Canada he is waiting for them to get off their butts. 98% of the time there is no problem but every so often IPv6 just stop working. This appears to be one of them. 

--
John Allen
KLaM
------------------------------------------
In the world of the internet
if you're not paying for something, you're not the customer;
you are the product being sold
/from the blue_beetle/

Reply via email to