DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab...
Transcript of DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab...
![Page 2: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/2.jpg)
Acknowledgement
IwouldliketothankInternetSocietytoletmespendsomeofmyISOCworking-meingo6labandtestallthisnewandexci-ngprotocolsandmechanismsthatmakesInternetabitbeOerandmoresecureplace…
![Page 3: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/3.jpg)
DNSSECimplementa-oningo6lab
• Powerdnsserver(usedasprimaryfornon-signeddomains)as“hidden”primaryDNSserver
• OpenDNSSECplaWormforsigningdomains
• BIND9DNSserversassecondariestoOpenDNSSECtoservesignedzones
• Virtualiza-onused:PROXMOX3.4
• OStemplates:fedora-20,Centos6/7
![Page 4: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/4.jpg)
DNSSECimplementa-oningo6lab
• “Bumpinawire”• Twopublic“primary”servers
• Concept:
![Page 5: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/5.jpg)
DNSSECingo6lab
• Thatwasfairlyeasyanditworksverywell.• Implementa-ondocumentusedfromMaOhijsMekking:
hOp://go6.si/docs/opendnssec-start-guide-drad.pdf
![Page 6: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/6.jpg)
DANEexperiment
• WhenDNSSECwassetupandfunc-oningwestartedtoexperimentwithDANE(DNSAuthen-catedNameEn--es).
• Requirements:– DNSSECsigneddomains– PosWixserverwithTLSsupport>2.11
• WedecidedonPosWix3.0.1
![Page 7: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/7.jpg)
DANE
• TLSArecordformx.go6lab.si
_25._tcp.mx.go6lab.si.INTLSA301B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC25908DA05E2A84748EDIt’sbasicallyahashofTLScer-ficateonmx.go6lab.siMoreaboutDANE:hOp://www.internetsociety.org/deploy360/resources/dane/
![Page 8: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/8.jpg)
WhatisDANEandhowdoesitwork
![Page 9: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/9.jpg)
![Page 10: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/10.jpg)
![Page 11: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/11.jpg)
DANEverifica-on
• Mx.go6lab.siwasabletoverifyTLScerttoT-2mailserverandnlnet-labsandsomeothers…
mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
![Page 12: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/12.jpg)
PosWixconfigsmtpd_use_tls=yessmtpd_tls_security_level=maysmtpd_tls_key_file=/etc/posWix/ssl/server.pemsmtpd_tls_cert_file=/etc/posWix/ssl/server.pemsmtpd_tls_auth_only=nosmtpd_tls_loglevel=1smtpd_tls_received_header=yessmtpd_tls_session_cache_-meout=3600ssmtp_tls_security_level=danesmtp_use_tls=yessmtp_tls_note_starOls_offer=yessmtp_tls_loglevel=1tls_random_exchange_name=/var/run/prng_exchtls_random_source=dev:/dev/urandomtls_smtp_use_tls=yes
![Page 13: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/13.jpg)
MalformedTLSArecord
• WecreatedaTLSArecordwithabadhash(onecharacterchanged)
• PosWixfailedtoverifyitandrefusedtosendamessagemx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted
![Page 14: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/14.jpg)
1MtopAlexadomainsandDANE
• Wefetchedtop1millionAlexadomainsandcreatedascriptthatsentanemailtoeachofthem(test-dnssec-dane@[domain])
• Adersometweakingofthescriptwegotsomegoodresults
• Thenwebuiltascriptthatparsedmaillogfileandherearetheresults:
![Page 15: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/15.jpg)
Results
• Outof1milliondomains,992,232ofthemhadMXrecordandmailserver.
• Nearly70%(687,897)ofallaOemptedSMTPsessionstoAlexatop1milliondomainsMXrecordswereencryptedwithTLS
• MajorityofTLSconnec-ons(60%)wereestablishedwithtrustedcer-ficate
• 1,382connec-onswhereremotemailserverannouncedTLScapabilityfailedwith"CannotstartTLS:handshakefailure"
![Page 16: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/16.jpg)
Moreresults
TLSestablishedconnec-onsra-osare:Anonymous:109.753Untrusted:167.063Trusted:410.953Verified:128Quickguide:Anonymous(opportunis-cTLSwithnosignature),Untrusted(peercer-ficatenotsignedbytrustedCA),Trusted(peercer-ficatesignedbytrustedCA)andVerified(verifiedwithTLSAbyDANE).
![Page 17: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/17.jpg)
DANEVerified
Verified:128!!!
![Page 18: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/18.jpg)
Maildistribu-on
MailServers #DomainsHandled TLSState
google.com 125,422 Trusted
secureserver.net 35,759 SomeTrusted,somenoTLSatall
qq.com 11,254 NoTLS
Yandex.ru 9,268 Trusted
Ovh.net 8.531 MostTrusted,withredirectservershavingnoTLSatall
![Page 19: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/19.jpg)
Maildistribu-on
MailServers #DomainsHandled TLSState
Emailsrvr.com 8,262 Trusted
Zohomail.com 2.981 Trusted
Lolipop.jp 1.685 NoTLS
Kundenserver.de 2,834 Trusted
Gandi.net 2,200 Anonymous
![Page 20: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/20.jpg)
DNSSEC?DANE?
Noneofthese“big”mailservers(andtheirdomains)areDNSSECsigned(thatmeantnoDANEforthempossibleuptoJanuary2016).
![Page 21: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/21.jpg)
• Ofcourse,withwrongcer-ficatehashinTLSArecord(refusestosendmail)
• IfdomainwhereMXrecordresidesisnotDNSSECsigned(can’ttrustthedatainMX,sonoverifica-on)
• IfTLSArecordpublishedinnon-DNSSECzone(can’ttrustthedatainTLSA,sonoverifica-on)
WhendoDANEthingsfail?
![Page 22: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/22.jpg)
• go6lab.sizoneissigned,soismx.go6lab.si• thereisTLSAformx.go6lab.si,alsosigned
• Domainsigned.siissignedandMXpointstomx.go6lab.si
• Domainnot-signed.siisnotsignedandMXpointstomx.go6lab.si
• [email protected]@not-signed.si(signed.siandnot-signed.siareusedjustasexamples)
Whendothingsfail?(example)
![Page 23: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/23.jpg)
[email protected](signeddomain):VerifiedTLSconnec-onestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:[email protected](notsigneddomain):AnonymousTLSconnec-onestablishedtomx.go6lab.si[2001:67c:27e4::23]:25:
Whendothingsfail?(example)
![Page 24: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/24.jpg)
• Let’strytopointMXrecordfromsigneddomaintoA/AAAArecordinnot-signeddomainwithTLSAthatisalsonotsigned(obviously)–mail.not-signed.si
Sendmailtojan@signed.siwhenMXforsigned.sipointstomail.not-signed.si–DANEverifica-onisnotevenstartedaschainoftrustisbroken
WhendoDANEverifica-onalsofail?
![Page 25: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/25.jpg)
posWix-3.1-20160103/HISTORY:
20160103
Feature:enableDANEpolicieswhenanMXhosthasasecure
TLSADNSrecord,eveniftheMXDNSrecordwasobtained
withinsecurelookups.TheexistenceofasecureTLSArecord
impliesthatthehostwantstotalkTLSandnotplaintext.Thisbehavioriscontrolledwithsmtp_tls_dane_insecure_mx_policy
(default:"dane",otherse~ngs:"encrypt"and"may";the
laOerisbackwards-compa-blewithearlierPosWixreleases).
ViktorDukhovni.
PosWixlatestimprovementsJ
![Page 26: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/26.jpg)
Let’sEncrypt,DANEandmail
• Let’sEncryptrecommendsusing‘211’and‘311’records• ValidityofLEcertis90days• Bydefaulttheunderlyingkeyischangedwhenrenewing• …soalsocerthashischanged• So,lot’sofworkifyouplantopublish311TLSA• usingthe‘211’methodleadstoanotherissue–namelylack
ofanDSTRootCAX3cer-ficateinthefullchain.pemfileprovidedbytheLet’sEncryptclient
• SoweneedtofetchtheDSTRootCAX3cer-ficateandaddittofullchain.pemfileandverifythatitdidnotchangefromprevious-mewerenewed…
![Page 27: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/27.jpg)
ScripttoaddDSTRootCAX3
lynx--sourcehOps://www.identrust.com/cer-ficates/trus-d/root-download-x3.html|grep-v"\/textarea"|awk'/textarea/{x=NR+18;next}(NR<=x){print}'|sed-e'1i-----BEGINCERTIFICATE-----\'|sed-e'$a-----ENDCERTIFICATE-----\'>>/etc/letsencrypt/live/mx.go6lab.si/fullchain.pem
![Page 28: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/28.jpg)
Valid311and211TLSArecords
![Page 29: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/29.jpg)
But…
• Atnextcer-ficaterenew,bydefaultunderlyingkeywillchangeand311TLSArecordwillbecomeinvalid…
• Laborwise,weneedtokeeptheunderlyingkeythroughtherenewals
• --csrop-oninletsencrypt-autoclient• Indirecotry“examples”thereis“generate-csr.sh”file
![Page 30: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/30.jpg)
Stableunderlyingkey…
./generate-csr.shmx.go6lab.siGenera-nga2048bitRSAprivatekey
................+++
..+++
wri-ngnewprivatekeyto'key.pem'
-----
Youcannowrun:letsencryptauth--csrcsr.der
![Page 31: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/31.jpg)
Renewalsandhashes…• Nowweareusingthesameunderlyingkeyforautoma-crenewalsofcer-ficate,sohashdoesnotchangeand311TLSArecordworks.
• We’llrotatetheunderlyingkeywhenwedecidetoandbeingdrivenbyhumaninterven-on(andalsochangetheTLSA).
• ./letsencrypt-autocertonly-t--debug--renew-astandalone--csr./mx.go6lab.si.der–keep
• Ofcourse,weaddDSTRootCAX3cer-ficatetofullchain.pem
![Page 32: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/32.jpg)
![Page 33: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/33.jpg)
Morereading:
hOp://www.internetsociety.org/deploy360/blog/2016/01/lets-encrypt-cer-ficates-for-mail-servers-and-dane-part-1-of-2/
hOp://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-cer-ficates-for-mail-servers-and-dane-part-2-of-2/
![Page 34: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/34.jpg)
Conclusions
• 70%ofemailcanbeencryptedinsomeway,youjustneedtoenableTLSonyourserver
• LownumberofDNSSECsigneddomains/servers
• EvenlowernumberofDANE/TLSAverifiedservers/connec-ons
• It’seasy,goanddoit–it’snottheendoftheworldandithelpswithverifyingwhoareyousendingemailsto–andviceversa;)
![Page 35: DANE/DNSSEC/TLS Tes-ng in the Go6lab - RIPE · PDF fileDANE/DNSSEC/TLS Tes-ng in the Go6lab Jan Žorž, ISOC/Go6 Ins-tute, Slovenia ... • Virtualizaon used: PROXMOX 3.4 • OS templates:](https://reader035.fdocuments.net/reader035/viewer/2022062223/5a70fedc7f8b9aa2538c8c47/html5/thumbnails/35.jpg)
ConclusionsII.
• DANEverifica-onfailed(orwasaborted)ifDNSSECchainoftrustisnotfullyestablishedandcompletealongthewholeway.
• TLSAinnot-signedDNSzoneswouldnothelpyoumuchpreven-ngyourcorrespondentssendingemailstoserver-in-the-middle(ifyouarenotrunninglatestbleedingedgedevelopmentversionofPosWix)
• DNSSEC/DANEiseasy,butpleaseunderstandwhatareyoudoingbeforeimplemen-ngitinproduc-on…