Dakons blog

Erstellt: 6. 7. 2014, 21:14
GeƤndert: 15. 7. 2014, 11:25

Generating DANE DNS records for servers using CAcert.org certificates with tinydns


For those that do not have the money or nationality to be included into the bullshit made in Germany network, or that simply say that this is, well, bullshit, there is the way to use DANE records. They have one disadvantage: they need DNSSEC to be really secure, and sadly my hoster Hetzner currently doesn't support that. But I thought that having them in place anyway can't hurt.

There are several ways to match a certificate by those records, e. g. you can assert that a specific certificate is used, or the root of your trust chain is a specific certificate. You can also publish the complete certificate or just a hash. Since I am a lazy folk I decided that I would publish the root of the certificate chain, i. e. the CAcert root certificate. This is slightly less secure as any certificate signed by CAcert.org for my domain name would be accepted, but the way CAcert works I would have to do that signing. On the other side this is one of the advantages, as I can change the keys and certs any time, as long as it is signed by CAcert the DANE records don't need to change. The other advantage is that the same record for every host and service I use, as all of them use CAcert.

Most howtos will end in "IN TLSA" records, which are for BIND nameservers. I run tinydns from the djbdns package, which uses a different format. So, how did I proceed?

Two more tips, slightly related: if you are on an openSUSE system the CAcert certificates are not installed by default. But you don't have to do any magic by hand:

zypper in ca-certificates-cacert

And for those that want DNSSEC with tinydns: tinydnssec could be the way to go (haven't tested that yet).