cPanel & WHM Version 88 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

DANE and TLSA

Osvaldo de Sousa shared this idea 6 years ago
Open Discussion

RFC 6698 (DANE) defines the new DNS record type TLSA,

which holds what is called Certificate Association data. In conjunction

with DNSSEC signatures, this will permit better and more secure ways

for applications to authenticate certificates.

Comments (7)

photo
1

In addition to DNSSEC being an essential part of this request, to the point of being a pre-requisite, I have concerns regarding TLSA.


Most notably, it seems to not be well-designed for a shared hosting environment by its own admission. This is in part because it attempts to shift the role of CA to the end-user. End-user compromises thus have a much bigger impact than when a proper CA is involved. There also seems to be concerns related to DNSSEC (which would be utilized here) adding significant latency during the TLS connection process.


In essence, I am having trouble seeing the value.


This is the first I am reading of this functionality, so I am open to the potential that I have misread or misunderstood the technology. However, at the very least, I feel this demonstrates that we need significant further discussion on this before it is realistically considered.

photo
2

Greetings from an author of RFC7672 (DANE for SMTP email servers). The comment about "proper CAs" is sadly misguided. Adding another trusted party can facilitate introductions, but never increases security. If the end-user is compromised, no CA can help, but a CA can also be compromised to issue poorly validated "DV" certificates.

Properly automated DANE is unconditionally stronger than WebPKI. The main requirement is to not just ask the user to cut/paste cert/key hashes into TLSA record forms, but to integrate TLSA record management into the certificate deployment process, so that changes in the service public key are automatically preceded (2 or more TTLs in advance) by addition of the matching TLSA "3 1 1" record (with stale records removed after certificate deployment).

With monitoring and proper automation, DANE is more robust than "proper CAs". Presently, it is getting used primarily in SMTP, so there's no rush to support DANE for HTTP server certificates, but it is definitely a good time to support automation of TLSA record management for SMTP, as part of the overall certificate rollover process. DANE TLSA should be a checkbox that enables robust TLSA RR publication on an ongoing basis, with regular monitoring whether the records match the certificate chain.

If it is just a form for cut/paste of TLSA records, then the value is questionable, unless users have good tools to automate coordinated updates with certificate rollover.

photo
1

I second this. And if you look to AutoSSL I needs to be automated!

photo
photo
2

Hi Brian,


Yes, DNSSEC is needed for this feature to fully work as intended. RFC4033 was release in 03/2005 and with it's need in RFC6698 should value the DNSSEC speedy implementation.


This is a IETF RFC6698 started in 08/2012 and it's implementation in my view should be regarded was very important (the same can be said for DNSSEC). This is a "PROPOSED STANDARD" but it's an upgrade to security that will benefit several services in an shared hosting environment. If you have concerns regarding the RFC/Protocol I am certain that IETF will welcome cPanel contribution for the standard.


The value is that any/all administrators can easly and with no expense protect their end-users with an simple TLSA Certificate.


In my view, it is better to have an TLSA Certificate and validated DNSSEC domain to have nothing in place to prevent security problems.

photo
1

What is a "proper" CA?


There are already software which don't provide a predefined CA trust list.

E.g. Filezilla asks for trust even when the SSL cert is from a "proper" CA.


The current situation is already "broken".

http://nakedsecurity.sophos.com/2013/12/09/serious-security-google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-france/


CAs which are hacked to create certs

http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html


Verification of faked certs on client side is broken too:

http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html


TLSA seems to be a threat for the SSL certificate business.

photo
2

At the moment only DNSSEC are supported in cPanel, but TLSA records cannot be created. This is also "part of the game". Please add "TLSA" to the zone editor, so we can add that record. It should also be created automatically when we activate the DNSSEC, based on the actual active certificate.

The following tool allows us to generate the TLSA record manually at least until cPanel cannot generate it automatically: https://www.huque.com/bin/gen_tlsa

photo
2

Now as DNSSEC is active adding TLSA would be great so Cpanel is finaly state of the art when it comes towards DNS security.

photo
2

As DANE is key for good validation on https://internet.nl/ this is essential for our business.


Many clients in public/private sector need this validation.

So make an tool it will add automatically to our zones.

photo
1

In WHM -> Edit DNS Zone there's TLSA in the drop down of records, however it doesn't produce any fields when chosen.

Is it a feature yet to come? I dont see anything about it in the WHMAPI docs either.


For us it'd be enough if we could just set TLSA records through WHMAPI1, we can create those ourselves and keep them updated.