SMTP and HTTPS with DANE

Some days ago I dealt with DNSSEC and DANE in conjunction with SMTP and HTTPS. It is pretty easy to configure BIND with DNSSEC. Add to your zone configuration these lines:

auto-dnssec maintain; inline-signing yes; key-directory "/etc/bind/keys";

Generate the zone-signing key and the key-signing key in /etc/bind/keys:

dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3 -fk example.com dnssec-keygen -a RSASHA256 -r /dev/random -b 2048 -3 example.com

Now your hoster need to publish the DS record to get a full functional DNSSEC. The easiest way to retrieve the required information is dig:

dig @your_name.server dnskey example.com | dnssec-dsfromkey -f - example.net

DANE is as simple as DNSSEC. You only need to publish the certifacte hash to your DNS. Assumed your webserver and mailserver works already with encryption you can retrieve the hash with ldns-dane:

ldns-dane create example.com 443 # or ldns-dane create mx01.example.com 25

With a self signed cert you even can use openssl:

openssl x509 -in your_cert.crt -outform DER | openssl sha256

Lastly you need to publish the TLSA record from the ouput:

nsupdate -l
> ttl 3600
> update add _25._tcp.mx01.example.com. IN TLSA 3 0 1 <your mx hash>
> update add _443._tcp.mail.example.com. IN TLSA 3 0 1 <your https hash>
> send
> quit

Be careful. Use alwasy nsupdate as you told BIND to maintain the DNSSECed zones! Manual changes in the zone files will not work anymore.