Some days ago I dealt with DNSSEC and DANE in conjunction with SMTP and HTTPS. It is pretty easy to configure BIND with DNSSEC. Add to your zone configuration these lines:

auto-dnssec maintain; inline-signing yes; key-directory "/etc/bind/keys";

Generate the zone-signing key and the key-signing key in /etc/bind/keys:

dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3 -fk dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3

Now your hoster need to publish the DS record to get a full functional DNSSEC. The easiest way to retrieve the required information is dig:

dig @your_name.server dnskey | dnssec-dsfromkey -f -

DANE is as simple as DNSSEC. You only need to publish the certifacte hash to your DNS. Assumed your webserver and mailserver works already with encryption you can retrieve the hash with ldns-dane:

ldns-dane create 443 # or ldns-dane create 25

With a self signed cert you even can use openssl:

openssl x509 -in your_cert.crt -outform DER | openssl sha256

Lastly you need to publish the TLSA record from the ouput:

nsupdate -l
> ttl 3600
> update add IN TLSA 3 0 1 <your mx hash>
> update add IN TLSA 3 0 1 <your https hash>
> send
> quit

Be careful. Use alwasy nsupdate as you told BIND to maintain the DNSSECed zones! Manual changes in the zone files will not work anymore.

Comments (0)

2015-10-20 10:36:02