Dear DANE users,
Am 01.07.20 um 13:16 schrieb Paul Menzel:
Am 01.07.20 um 08:27 schrieb Viktor Dukhovni:
On Jul 1, 2020, at 4:01 AM, Paul Menzel wrote:
I like to inform you, after several years of waiting, the Deutsche
Forschungsnetz will finally offer a solution for using their mail
support with DNSSEC/DANE [1]. For whatever reason, they do not want
to fiddle/test with dfn.de, and, therefore, are going to introduce
the new domain dfnsec.de first.
The pilot phase is going to be from August 3rd to 31st, and they
are introducing faulty entries on Tuesday and Thursday from 10:00
to 14:00.
I take this to mean that dfn.de is planning to have DNSSEC signed MX
hosts with TLSA RRs under a new dfnsec.de domain. That's good news,
thanks!
Yes, it is meant as opt-in.
Good news. The pilot was successful, and after over four years, the DFN
finally delivered.
Luckily, it looks like they were able to remove the internal doubts, and
set up DNSSEC for dfn.de directory now and published the TLSA resource
records [2].
In terms of candidate DNSSEC-signed domains currently using dfn.de MX
hosts, that could/should consider switching to dfnsec.de, I currently
find the following 33 in the DNSSEC/DANE survey dataset:
[…]
All the 33 domains are supported DANE now automatically. Yeah!
A lot of the subdomains of mpg.de use the DFN-MailSupport separately,
and from those, to my knowledge, only us – molgen.mpg.de – have set up
DNSSEC. (The other few DNSSEC users do *not* use the DFN-MailSupport –
for example mpifr-bonn.mpg.de.)
As written, unfortunately, not all subdomains of mpg.de have DNSSEC set up.
My institute molgen.mpg.de and cpfs.mpg.de from Dresden do use DNSSEC,
and therefore have DANE working now.
[…]
Kind regards,
Paul
[2]: https://www.mailsupport.dfn.de/news/aktivierung-der-tlsa-records
PS: Example:
$ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary -l dane-only -P
/etc/ssl/certs/ molgen.mpg.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.a1241.mx.srv.dfn.de IN TLSA 3 0 1
27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
posttls-finger: setting up TLS connection to
a1241.mx.srv.dfn.de[194.95.232.62]:25
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@strength:!aNULL"
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=3 verify=1
subject=/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust
Center/CN=T-TeleSec GlobalRoot Class 2
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=2 verify=1
subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=1 verify=1
subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=0 verify=1
subject=/C=DE/ST=Berlin/L=Berlin/O=Verein zur Foerderung eines Deutschen
Forschungsnetzes e. V./OU=Geschaeftsstelle/CN=*.mx.srv.dfn.de
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=0 matched end
entity certificate sha256 digest
27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25:
subject_CN=*.mx.srv.dfn.de, issuer_CN=DFN-Verein Global Issuing CA,
fingerprint=25:2C:32:73:0D:01:13:53:F5:59:1D:1E:CA:E4:DA:8B:E0:94:75:56,
pkey_fingerprint=D5:6E:6C:41:CC:28:0F:66:71:8C:76:D1:F1:5B:F9:7C:EB:13:8A:AB
posttls-finger: Verified TLS connection established to
a1241.mx.srv.dfn.de[194.95.232.62]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384)
server-signature RSA-PSS (4096 bits) server-digest SHA256
$ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary -l dane-only -P
/etc/ssl/certs/ vw.molgen.mpg.de
posttls-finger: initializing the client-side TLS engine
posttls-finger: using DANE RR: _25._tcp.b1234.mx.srv.dfn.de IN TLSA 3 0 1
27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
posttls-finger: setting up TLS connection to
b1234.mx.srv.dfn.de[194.95.234.102]:25
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@strength:!aNULL"
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=3 verify=1
subject=/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust
Center/CN=T-TeleSec GlobalRoot Class 2
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=2 verify=1
subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=1 verify=1
subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e.
V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=0 verify=1
subject=/C=DE/ST=Berlin/L=Berlin/O=Verein zur Foerderung eines Deutschen
Forschungsnetzes e. V./OU=Geschaeftsstelle/CN=*.mx.srv.dfn.de
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=0 matched end
entity certificate sha256 digest
27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25:
subject_CN=*.mx.srv.dfn.de, issuer_CN=DFN-Verein Global Issuing CA,
fingerprint=25:2C:32:73:0D:01:13:53:F5:59:1D:1E:CA:E4:DA:8B:E0:94:75:56,
pkey_fingerprint=D5:6E:6C:41:CC:28:0F:66:71:8C:76:D1:F1:5B:F9:7C:EB:13:8A:AB
posttls-finger: Verified TLS connection established to
b1234.mx.srv.dfn.de[194.95.234.102]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
server-digest SHA2560<Up>
