DANE and TLSA
Open Discussion
RFC 6698 (DANE) defines the new DNS record type TLSA,
which holds what is called Certificate Association data. In conjunction
with DNSSEC signatures, this will permit better and more secure ways
for applications to authenticate certificates.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
In addition to DNSSEC being an essential part of this request, to the point of being a pre-requisite, I have concerns regarding TLSA.
Most notably, it seems to not be well-designed for a shared hosting environment by its own admission. This is in part because it attempts to shift the role of CA to the end-user. End-user compromises thus have a much bigger impact than when a proper CA is involved. There also seems to be concerns related to DNSSEC (which would be utilized here) adding significant latency during the TLS connection process.
In essence, I am having trouble seeing the value.
This is the first I am reading of this functionality, so I am open to the potential that I have misread or misunderstood the technology. However, at the very least, I feel this demonstrates that we need significant further discussion on this before it is realistically considered.
In addition to DNSSEC being an essential part of this request, to the point of being a pre-requisite, I have concerns regarding TLSA.
Most notably, it seems to not be well-designed for a shared hosting environment by its own admission. This is in part because it attempts to shift the role of CA to the end-user. End-user compromises thus have a much bigger impact than when a proper CA is involved. There also seems to be concerns related to DNSSEC (which would be utilized here) adding significant latency during the TLS connection process.
In essence, I am having trouble seeing the value.
This is the first I am reading of this functionality, so I am open to the potential that I have misread or misunderstood the technology. However, at the very least, I feel this demonstrates that we need significant further discussion on this before it is realistically considered.
Hi Brian,
Yes, DNSSEC is needed for this feature to fully work as intended. RFC4033 was release in 03/2005 and with it's need in RFC6698 should value the DNSSEC speedy implementation.
This is a IETF RFC6698 started in 08/2012 and it's implementation in my view should be regarded was very important (the same can be said for DNSSEC). This is a "PROPOSED STANDARD" but it's an upgrade to security that will benefit several services in an shared hosting environment. If you have concerns regarding the RFC/Protocol I am certain that IETF will welcome cPanel contribution for the standard.
The value is that any/all administrators can easly and with no expense protect their end-users with an simple TLSA Certificate.
In my view, it is better to have an TLSA Certificate and validated DNSSEC domain to have nothing in place to prevent security problems.
Hi Brian,
Yes, DNSSEC is needed for this feature to fully work as intended. RFC4033 was release in 03/2005 and with it's need in RFC6698 should value the DNSSEC speedy implementation.
This is a IETF RFC6698 started in 08/2012 and it's implementation in my view should be regarded was very important (the same can be said for DNSSEC). This is a "PROPOSED STANDARD" but it's an upgrade to security that will benefit several services in an shared hosting environment. If you have concerns regarding the RFC/Protocol I am certain that IETF will welcome cPanel contribution for the standard.
The value is that any/all administrators can easly and with no expense protect their end-users with an simple TLSA Certificate.
In my view, it is better to have an TLSA Certificate and validated DNSSEC domain to have nothing in place to prevent security problems.
What is a "proper" CA?
There are already software which don't provide a predefined CA trust list.
E.g. Filezilla asks for trust even when the SSL cert is from a "proper" CA.
The current situation is already "broken".
http://nakedsecurity.sophos.com/2013/12/09/serious-security-google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-france/
CAs which are hacked to create certs
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
Verification of faked certs on client side is broken too:
http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html
TLSA seems to be a threat for the SSL certificate business.
What is a "proper" CA?
There are already software which don't provide a predefined CA trust list.
E.g. Filezilla asks for trust even when the SSL cert is from a "proper" CA.
The current situation is already "broken".
http://nakedsecurity.sophos.com/2013/12/09/serious-security-google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-france/
CAs which are hacked to create certs
http://googleonlinesecurity.blogspot.de/2014/07/maintaining-digital-certificate-security.html
Verification of faked certs on client side is broken too:
http://news.netcraft.com/archives/2014/02/12/fake-ssl-certificates-deployed-across-the-internet.html
TLSA seems to be a threat for the SSL certificate business.
At the moment only DNSSEC are supported in cPanel, but TLSA records cannot be created. This is also "part of the game". Please add "TLSA" to the zone editor, so we can add that record. It should also be created automatically when we activate the DNSSEC, based on the actual active certificate.
The following tool allows us to generate the TLSA record manually at least until cPanel cannot generate it automatically: https://www.huque.com/bin/gen_tlsa
At the moment only DNSSEC are supported in cPanel, but TLSA records cannot be created. This is also "part of the game". Please add "TLSA" to the zone editor, so we can add that record. It should also be created automatically when we activate the DNSSEC, based on the actual active certificate.
The following tool allows us to generate the TLSA record manually at least until cPanel cannot generate it automatically: https://www.huque.com/bin/gen_tlsa
Now as DNSSEC is active adding TLSA would be great so Cpanel is finaly state of the art when it comes towards DNS security.
Now as DNSSEC is active adding TLSA would be great so Cpanel is finaly state of the art when it comes towards DNS security.
As DANE is key for good validation on https://internet.nl/ this is essential for our business.
Many clients in public/private sector need this validation.
So make an tool it will add automatically to our zones.
As DANE is key for good validation on https://internet.nl/ this is essential for our business.
Many clients in public/private sector need this validation.
So make an tool it will add automatically to our zones.
In WHM -> Edit DNS Zone there's TLSA in the drop down of records, however it doesn't produce any fields when chosen.
Is it a feature yet to come? I dont see anything about it in the WHMAPI docs either.
For us it'd be enough if we could just set TLSA records through WHMAPI1, we can create those ourselves and keep them updated.
In WHM -> Edit DNS Zone there's TLSA in the drop down of records, however it doesn't produce any fields when chosen.
Is it a feature yet to come? I dont see anything about it in the WHMAPI docs either.
For us it'd be enough if we could just set TLSA records through WHMAPI1, we can create those ourselves and keep them updated.
We also need TLSA and DANE, as testing sites are starting to make customers nervous about missing security:
https://en.xn--sikkerpnettet-vfb.dk/test-site/
We also need TLSA and DANE, as testing sites are starting to make customers nervous about missing security:
https://en.xn--sikkerpnettet-vfb.dk/test-site/
Replies have been locked on this page!