Michael Tremer

ipfire.org is signed now
by Michael Tremer, May 29, 2014

Finally, our domain name ipfire.org is signed by DNSSEC.

This has been a struggle for a long time and finally, I was able to transfer it to a new registrar that supports DNSSEC. I am operating my own name servers since a long time as there has been literally no DNS provider out there who decently supported DNSSEC so far. Since a couple of weeks, since Heartbleed, there is a magnificent boost for DNSSEC, DANE and related things in the media, so I finally took the last step to enable DNSSEC for ipfire.org, as well.

As mentioned, the old registrar did not support DNSSEC at all and they said that I was literally the second customer who has ever asked for that (got this reply in 2013). Therefore, there was no “need” in their opinion to do something about it. The solution with which I was left for the short term was DLVDNSSEC Look-aside validation by the ISC. This basically works like DNSSEC itself except that the keys are stored in a different zone and a DNSSEC-validating recursor would need to search this zone for the signatures when validating records. A lot of recursors implement this, but this is of course not a proper solution and just supposed to help deploying DNSSEC before the registrars start supporting it.

On https://forum.ipfire.org/, you will find our forums in the usual manner, except that the HTTPS connection is secured by DANE – a protocol extension that validates the SSL certificate against a hash that is stored in the DNS zone. So this certificate does not need to be signed by a public CA like Thawte or Versign as it is already perfectly validated by DNSSEC.

Unfortunately, none of the major web browsers supports DANE as of writing this post. There has been support in Chrome, but this has been removed in 2011 again – apparently for the reason that nobody used it. So we are now doomed to use a plugin called DNSSEC/TLSA Validator. When I say doomed I don’t want to talk bad about this great plugin. It is available for a variety of web browsers and does a great job. However, what a plugin can do is very limited and a proper integration into the web browsers would be a lot better and I guess that we can hope for it being integrated into the major browsers again soon.

What makes me hope for that? Postfix, the MTA, has been extended to use DANE validation and been enabled with a lot of publicity by some mail providers. The IPFire mail server has also been using DANE for incoming and outgoing connections as long as the opposite sending mail server used DANE as well.

So there is happening a lot in this area. DNSSEC is a great tool to provide not just more security against spoofing DNS records. It enables us to put a lot more information into the DNS zones and ensures that we can rely on the authenticity of this data. DANE is one of those things that use DNSSEC to get rid of the long-time broken CA model. SSHFP records can carry (very similar to TLSA) fingerprints of SSH keys, so spoofing those becomes much more difficult, too.

If DNSSEC/DANE/TLSA/SSHFP is so great…

...why don’t we have, yet? The DNSSEC RFC is almost two decades old and deploying it went slowly. It is actually not that difficult to do, but most of the software used to serve DNS zones only recently got the code to handle DNSSEC. Many people felt that there is no need for that and claimed that DNSSEC might be just as dead as IPv6.

Like mentioned earlier, Heartbleed showed us once again that we need to take much more care of our software and services that we operate. Also the Snowden revelations showed us the very same thing: We don’t know who the attacker is and what they are capable of. We must be prepared for the worst.

DNSSEC is not the only solution for all of the problems, but it is again a small step and willl protect a very essential component of the Internet – the DNS system.

Signing more and more zones is happening every day. Now we need to make sure that we take benefit from that on the client side. DNS clients must validate the DNS signatures and preferably cache the result as best as possible to compensate for the performance impact of DNSSEC. This is really not much, but a lightning fast DNS system is pretty essential to me.

There is a wish on the IPFire wishlist to integrate the latest version of dnsmasq that supports DNSSEC validation into IPFire. We will need to make some modifications to this software so that dnsmasq will be able to serve the dynamic DHCP leases as well.

Please help us with this undertaking and let’s enhance IPFire to be able to talk DNSSEC!


Posted: May 29, 2014 • 784 views