Question on DANE dns security and best practices

I have a question on domain/web- and mailserver security best practices. I understand that dkim, spf and maybe a dmarc record are quasi standard and must have. What about dane? I see that not even our mailprovider has them implemented and its his business after all. So is dane/dnssec something you consider worth activating or is it not widely used or necessary?

As a side note, I became aware of dane because of this testsite. I am asking myself if it is a bit overzealaous as the results are quite poor. Even for a site that in ssl-labs is rated A+. Btw. I had to change TLS policy in neth to the newest entry else ssl-labs rated the site with B only. I was surprised that TLS 1.0 and 1.1 are active in standard configuration, but it was easy enough to change that in cockpit.

Following the points that are critisized @https://en.internet.nl and are the reason for the mediocre rating:

  • not reachable via ipv6 address. Really ? Is that an argument nowadays?
  • domain not signed with dnssec
  • Your web server offers an HSTS policy with a cache validity period ( max-age ) that is not sufficiently long (i.e. less than 1 year). We consider a HSTS cache validity period of at least 1 year ( max-age=31536000 ) to be sufficiently secure.
  • Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
    AES128-SHA256|phase out|
    AES256-GCM-SHA384|phase out|
    AES128-GCM-SHA256|phase out|
    AES256-SHA256|phase out|
  • Your web server does not prefer ‘Good’ over ‘Sufficient’ over ‘Phase out’ ciphers (‘II’).
    ECDHE-RSA-AES256-SHA384|
    ECDHE-RSA-AES128-GCM-SHA256|
  • Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.
    DH-2048 insufficient
  • Your web server does not support OCSP stapling
  • Your website domain does not contain a TLSA record for DANE
  • Your web server does not offer Content-Security-Policy (CSP), or does offer CSP with certain insecure settings.

Those verdicts finally lead to a score of 47%

What do you think of those findings? Quite a difference to an A+ rated site by ssl-labs…

Mailserver with dkim/spf/dmarc enabled gets a slightly better rating but still only 62% again because of missing ipv6, dnssec, dane, ciphers, key exchange parameters and client-initiated renegotiation…

I would be interested in some of our expterts judgement of those results this site is delivering. Do they exagerate? I mean ipv6 - camon… :slight_smile:

And if they have some valid points - do you have recomandations to implement in a nethserver environnement to augment security?

For the record some links, that I did not yet have the time to read through and thought maybe first ask here instead of wasting time for maybe exagerated safety need:


@Elleni

Hi

RIPE (Reseau IP Europeen), who manages all european IPs, has confirmed 1-2 years ago that IPv4 for Europe have run out…
Even if you’ve got the financial backing, your only option now, if you want to start a BIG europeen Provider is to buy one with plenty of allocated IPs…

That’s why IPv6 is needed. (Admittedly, as my clients and I myself use NethServer, I have deactivated IPv6 in all networks except for LAB nets…).

Even in Switzerland, Providers like UPC will give you only IPv6, unless you ASK for IPv4, for example to use with companies VPN. Then you will get IPv4 allocated…

My 2 cents
Andy

DANE: Overrated, too panaroid…

Even DMARC is not really well thought out, plenty of issues especially with mailing lists.
I don’t use DMARC at all, but do use SPF and DKIM.

1 Like

Hi Andy and thanks for your comment. I find it overzeaulous that they rate upon availability of ipv6, dane and so on. But maybe they have some valid points (HSTS cache-policy,ciphers,key-exchange, ocsp stapling)? I’d be interested in some opinions but I also think that maybe spf/dkim and newest tls is enough to be on the safe side. :slight_smile:

What about dnssec? Our provider would support full dnssec but I did not find it beneficious enough to look into it yet, apart from activating it in piHole along with using filtering quad9 upstream dns server… :slight_smile:

These two are important for Mailserver <-> Mailserver communications, absolutely.
TLS is more a client side thing, as SMTP between servers are not encrypted, as per RFC.

1 Like

Yeah, I mean not only for mailservices but with nextcloud we also serve a website, so…

IPv6:

If say one of your co-workers uses Home Office, and changes their Provider, you could run into IPv6 trouble…
If you’re aware that you can ASK for IPv4 from most providers here, that’s easily solved, once you know it’s an IPv6 problem…

But if you don’t think of IPv6 issues, you can look a long time before you solve the issues (Mailserver on Neth not reachable, for example…).

As to DNSSEC, I quite agree. Not yet a must, more headaches than benefit at the moment…

1 Like

All valid and important, agreed.

But all these have nothing to do with mail / smtp as such. And both are actually services for clients, less server-server issues…

For other services, I do agree.

1 Like

Thanks for your point of view. I’ll wait then to see wether there are settings that should be changed to improve some of their reported “issues” like HSTS cache-policy,ciphers,key-exchange, ocsp stapling. Btw is 2048bits for a letsencrypt certificate still ok? On my private non-neth nextcloud server on gentoo I years ago already had configured a letsencrypt certificate of 4096bit. Maybe some of the above could make it to the standard settings within nethserver if they are considered more secure, like eliptic curves instead of rsa keys for ssh for ex.?

My Settings on OPNsense should speak enough: (Used at all 25-30 clients…)

1 Like

I have exactly the same settings in OPNsense for our users VPN certificates. :smiley:

You’re also using an expiry of 10 years for CA / Certs? (=3652 days…)

It’s NOT 10 x 365 days, you need to add in two for leap years (Schaltjahre), as in 10 years there are exactly two!

A lot of friends wondered at why 3652 and not 3650…

:slight_smile:

Bildschirmfoto 2021-04-05 um 22.54.18

1 Like

Well - no I have 3650 indeed :slight_smile:

Life is a continous learning…
And we did learn in primary how leap years worked… :slight_smile:

1 Like

I have configured DANE, TLSA, SPF, DKIM, DMARC on all of my servers.
For testing, I use:

https://dane.sys4.de/

On https://en.internet.nl/mail/ I have persistent issues:
1. IPV6 - of course
2. Ciphers (Algorithm selections)

Verdict:

At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.

Technical details:

Mail server (MX) First found affected cipher Status
mydomain.de. AES256-GCM-SHA384 phase out

3. Key exchange parameters

Verdict:

At least one of your mail servers supports insufficiently secure parameters for Diffie-Hellman key exchange.

Technical details:

Mail server (MX) Affected parameters Security level
mydomain.de. DH-2048 insufficient

4. Client-initiated renegotiation

Verdict:

At least one of your mail servers allows for client-initiated renegotiation, which could have negative impact on the availability of your mail server.

Technical details:

Mail server (MX) Client-initiated renegotiation
mydomain.de. yes

I have no idea to correct this with Nethserver.

Sincerely, Marko

1 Like

For me, Peer Heinlein’s lectures are constant revelations of the e-mail God.
https://www.heinlein-support.de/vortrag


https://www.heinlein-support.de/blog/news/gmx-de-und-web-de-haben-mail-rejects-durch-spf/
(but in the meantime he has switched to ~all himself)
2 Likes