Re: Announcement: LetsDNS release 1.0 is now available
Am 13.04.22 um 10:26 schrieb Damian: https://mail.sys4.de/mailman/listinfo/dane-users does not work? thanks, that information was missing. Gruß, Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
Re: Announcement: LetsDNS release 1.0 is now available
Am Mittwoch, April 13, 2022 10:22 CEST, schrieb Matthias Fechner : > Am 12.04.2022 um 19:15 schrieb Ralph Seichter: > > I'm happy to usedane-us...@sys4.de if you don't mind it. I consider > > that one pretty much*your* mailing list and did not mean to just barge > > in, although I had obviously hoped for your input in particular. > > how can I sub-scr1be to this list? > Sorry to write it this way, but there is a stupid filter in place that > blocks the email. > > Gruß > Matthias > > -- > > "Programming today is a race between software engineers striving to > build bigger and better idiot-proof programs, and the universe trying to > produce bigger and better idiots. So far, the universe is winning." -- > Rich Cook > does https://mail.sys4.de/mailman/listinfo/dane-users not work? or you just needed the link? smime.p7s Description: S/MIME cryptographic signature
Re: Announcement: LetsDNS release 1.0 is now available
how can I sub-scr1be to this list? Sorry to write it this way, but there is a stupid filter in place that blocks the email. https://mail.sys4.de/mailman/listinfo/dane-users does not work?
Re: Announcement: LetsDNS release 1.0 is now available
Am 12.04.2022 um 19:15 schrieb Ralph Seichter: I'm happy to usedane-us...@sys4.de if you don't mind it. I consider that one pretty much*your* mailing list and did not mean to just barge in, although I had obviously hoped for your input in particular. how can I sub-scr1be to this list? Sorry to write it this way, but there is a stupid filter in place that blocks the email. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook
Re: Announcement: LetsDNS release 1.0 is now available
* Viktor Dukhovni: > Perhaps dane-users then. I don't find Github to be a good forum for > discussing design options. I'm happy to use dane-us...@sys4.de if you don't mind it. I consider that one pretty much *your* mailing list and did not mean to just barge in, although I had obviously hoped for your input in particular. > Github is OK for discussion of a pull request, but it is no substitute > for a mailing list. Quite so. I prefer mailing lists myself. -Ralph
Re: Announcement: LetsDNS release 1.0 is now available
> On 12 Apr 2022, at 1:05 pm, Ralph Seichter wrote: > > I invite you and other interested parties to discuss this on GitHub [1] > rather than the Postfix mailing list. Release 1.0 is meant to provide > core functionality, and follows the "release erly and often" approach. > There is of course room for enhancements. Perhaps dane-users then. I don't find Github to be a good forum for discussing design options. Lack of threading, poor editor, ... Github is OK for discussion of a pull request, but it is no substitute for a mailing list. -- Viktor.
Re: Announcement: LetsDNS release 1.0 is now available
* Erwan David: > as you can see, let'sDNS would have to act in cooperation with the > certificate update. Which is exactly why I launch LetsDNS from a "dehydrated" hook whenever the latter has obtained a new certificate, but before that certificate is moved from staging into production. This allows publishing TLSA records for the queued certificate hours or days before it becomes active. Again, https://github.com/LetsDNS/letsdns/discussions seems like a better place to discuss this than the Postfix mailing list. -Ralph
Re: Announcement: LetsDNS release 1.0 is now available
* Viktor Dukhovni: > My first impression reading the docs is that "letdns" is not involved > in certificate rollovers. Its job is solely to automate TLSA record > updates. Indeed. > Are TLSA records matching the previous cert/key retained? No, LetsDNS is stateless beyond the configuration files' content. What exactly happens during each run depends on the configured actions. The dane-tlsa live DNS update removes existing TLSA records and generates new ones for the certificates configured in this particular run. > There's a need for an example complete config file. Also > more sophisticated deployment models that involved TLSA > RR CNAMEs, support for "2 1 1" records and detection of > changes in the issuing CA, ... "2 1 1" records are already generated; see https://dane.sys4.de/smtp/seichter.de > Also, I don't see tooling for robust cert rollover [...] This already works, but I agree that the documentation is quite sparse at this point. > Thus 1.0 is an MVP snapshot, but much work remains. I invite you and other interested parties to discuss this on GitHub [1] rather than the Postfix mailing list. Release 1.0 is meant to provide core functionality, and follows the "release erly and often" approach. There is of course room for enhancements. -Ralph [1] https://github.com/LetsDNS/letsdns/discussions
Re: Announcement: LetsDNS release 1.0 is now available
Le 12/04/2022 à 18:52, Ralph Seichter a écrit : * Erwan David: Does it handle restarting/reloading a program when changing the certificate ? Postfix does not need it, but dovecot does. LetsDNS does not obtain or change TLS certificates, because that's what specialised ACME clients like "dehydrated" or "certbot" are for. A hook function in one of these clients would be a reasonable place to restart a service. LetsDNS generates and/or publishes DANE TLSA records matching the certificates it reads. The example configuration I provided shows how this can be used to gracefully roll over certificates when using a staging mechanism. The DANE Users mailing list is probably better suited for further discussion of this subject. -Ralph Ok, but due to DNS caching, I think that TLSA update should follow same sort of algorithm as DNSEC key rollover. A first thought about this would be 1) generate new cert, stage it 1) publish new TLSA in DNS 2) wait DNS TTL 3) change certificate for the staged one(might have to reload/restart some service) 4) remove old TLSA. Thta's just a first approximation, I am not sure there is not a time where a client has only the old TLSA and get the new cert in the connection. as you can see, let'sDNS would have to act in cooperation with the certificate update.
Re: Announcement: LetsDNS release 1.0 is now available
* Erwan David: > Does it handle restarting/reloading a program when changing the > certificate ? Postfix does not need it, but dovecot does. LetsDNS does not obtain or change TLS certificates, because that's what specialised ACME clients like "dehydrated" or "certbot" are for. A hook function in one of these clients would be a reasonable place to restart a service. LetsDNS generates and/or publishes DANE TLSA records matching the certificates it reads. The example configuration I provided shows how this can be used to gracefully roll over certificates when using a staging mechanism. The DANE Users mailing list is probably better suited for further discussion of this subject. -Ralph
Re: Announcement: LetsDNS release 1.0 is now available
> On 12 Apr 2022, at 12:36 pm, Erwan David wrote: > > Does it handle restarting/reloading a program when changing the certificate ? > Postfix does not need it, but dovecot does. My first impression reading the docs is that "letdns" is not involved in certificate rollovers. Its job is solely to automate TLSA record updates. The documentation is rather silent about what specifically happens when a certificate file changes: * Are TLSA records matching the previous cert/key retained? * For how long? There's a need for an example complete config file. Also more sophisticated deployment models that involved TLSA RR CNAMEs, support for "2 1 1" records and detection of changes in the issuing CA, ... Also, I don't see tooling for robust cert rollover, with the DNS changes made up front, which means that the TLSA "3 1 1" records need to be computed from a private key file, not a public certificate. Thus 1.0 is an MVP snapshot, but much work remains. -- Viktor.
Re: Announcement: LetsDNS release 1.0 is now available
Le 12/04/2022 à 15:30, Ralph Seichter a écrit : I'm happy to announce that LetsDNS release 1.0 is now available and ready for public use. Website: https://letsdns.org GitHub : https://github.com/LetsDNS/letsdns PyPI : https://pypi.org/project/letsdns/ LetsDNS is a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each. LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like dehydrated or certbot. It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime. I'd appreciate you taking LetsDNS for a leisurely spin, and letting me know of your experiences. GitHub discussions/issues are preferred, but you can also send mail to "author at letsdns dot org". Enjoy. -Ralph P.S.: This is a copy of today's DANE Users mailing list announcement. Does it handle restarting/reloading a program when changing the certificate ? Postfix does not need it, but dovecot does.
Re: Announcement: LetsDNS release 1.0 is now available
* Ruben Safir: > automated systems with root access are inherently not secure Ah, nothing quite like shooting sweeping statements from the hip, is there? :-) See paragraph one of https://letsdns.org/operation.html . -Ralph
Re: Announcement: LetsDNS release 1.0 is now available
Hello, This statement is at best off topic. Worst case scenario, it's toxic. And you can be polite, too. Thank you. > On 12 Apr 2022, at 16:58, Ruben Safir wrote: > > automated systems with root access are inherently not secure > > > On Tue, Apr 12, 2022 at 03:30:57PM +0200, Ralph Seichter wrote: >> I'm happy to announce that LetsDNS release 1.0 is now available and >> ready for public use. >> >> Website: https://letsdns.org >> GitHub : https://github.com/LetsDNS/letsdns >> PyPI : https://pypi.org/project/letsdns/ >> >> LetsDNS is a utility to manage DANE TLSA records in DNS servers with >> only a few lines of configuration. It supports multiple domains with >> multiple TLS certificates each. >> >> LetsDNS can be invoked manually, from cron jobs, or called in hook >> functions of ACME clients like dehydrated or certbot. It currently >> supports backends via the DNS Update Protocol (RFC 2136), the Hetzner >> DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS >> is designed be expanded using custom Python modules which are loaded >> dynamically during runtime. >> >> I'd appreciate you taking LetsDNS for a leisurely spin, and letting me >> know of your experiences. GitHub discussions/issues are preferred, but >> you can also send mail to "author at letsdns dot org". >> >> Enjoy. >> >> -Ralph >> >> P.S.: This is a copy of today's DANE Users mailing list announcement. > > -- > So many immigrant groups have swept through our town > that Brooklyn, like Atlantis, reaches mythological > proportions in the mind of the world - RI Safir 1998 > http://www.mrbrklyn.com > > DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 > http://www.nylxs.com - Leadership Development in Free Software > http://www2.mrbrklyn.com/resources - Unpublished Archive > http://www.coinhangout.com - coins! > http://www.brooklyn-living.com > > Being so tracked is for FARM ANIMALS and extermination camps, > but incompatible with living as a free human being. -RI Safir 2013 >
Re: Announcement: LetsDNS release 1.0 is now available
automated systems with root access are inherently not secure On Tue, Apr 12, 2022 at 03:30:57PM +0200, Ralph Seichter wrote: > I'm happy to announce that LetsDNS release 1.0 is now available and > ready for public use. > > Website: https://letsdns.org > GitHub : https://github.com/LetsDNS/letsdns > PyPI : https://pypi.org/project/letsdns/ > > LetsDNS is a utility to manage DANE TLSA records in DNS servers with > only a few lines of configuration. It supports multiple domains with > multiple TLS certificates each. > > LetsDNS can be invoked manually, from cron jobs, or called in hook > functions of ACME clients like dehydrated or certbot. It currently > supports backends via the DNS Update Protocol (RFC 2136), the Hetzner > DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS > is designed be expanded using custom Python modules which are loaded > dynamically during runtime. > > I'd appreciate you taking LetsDNS for a leisurely spin, and letting me > know of your experiences. GitHub discussions/issues are preferred, but > you can also send mail to "author at letsdns dot org". > > Enjoy. > > -Ralph > > P.S.: This is a copy of today's DANE Users mailing list announcement. -- So many immigrant groups have swept through our town that Brooklyn, like Atlantis, reaches mythological proportions in the mind of the world - RI Safir 1998 http://www.mrbrklyn.com DRM is THEFT - We are the STAKEHOLDERS - RI Safir 2002 http://www.nylxs.com - Leadership Development in Free Software http://www2.mrbrklyn.com/resources - Unpublished Archive http://www.coinhangout.com - coins! http://www.brooklyn-living.com Being so tracked is for FARM ANIMALS and extermination camps, but incompatible with living as a free human being. -RI Safir 2013
Announcement: LetsDNS release 1.0 is now available
I'm happy to announce that LetsDNS release 1.0 is now available and ready for public use. Website: https://letsdns.org GitHub : https://github.com/LetsDNS/letsdns PyPI : https://pypi.org/project/letsdns/ LetsDNS is a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each. LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like dehydrated or certbot. It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime. I'd appreciate you taking LetsDNS for a leisurely spin, and letting me know of your experiences. GitHub discussions/issues are preferred, but you can also send mail to "author at letsdns dot org". Enjoy. -Ralph P.S.: This is a copy of today's DANE Users mailing list announcement.