I have a question on domain/web- and mailserver security best practices. I understand that dkim, spf and maybe a dmarc record are quasi standard and must have. What about dane? I see that not even our mailprovider has them implemented and its his business after all. So is dane/dnssec something you consider worth activating or is it not widely used or necessary?
As a side note, I became aware of dane because of this testsite. I am asking myself if it is a bit overzealaous as the results are quite poor. Even for a site that in ssl-labs is rated A+. Btw. I had to change TLS policy in neth to the newest entry else ssl-labs rated the site with B only. I was surprised that TLS 1.0 and 1.1 are active in standard configuration, but it was easy enough to change that in cockpit.
Following the points that are critisized @https://en.internet.nl and are the reason for the mediocre rating:
- not reachable via ipv6 address. Really ? Is that an argument nowadays?
- domain not signed with dnssec
- Your web server offers an HSTS policy with a cache validity period (
max-age) that is not sufficiently long (i.e. less than 1 year). We consider a HSTS cache validity period of at least 1 year (
max-age=31536000) to be sufficiently secure.
- Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.
- Your web server does not prefer ‘Good’ over ‘Sufficient’ over ‘Phase out’ ciphers (‘II’).
- Your web server supports insufficiently secure parameters for Diffie-Hellman key exchange.
- Your web server does not support OCSP stapling
- Your website domain does not contain a TLSA record for DANE
- Your web server does not offer Content-Security-Policy (CSP), or does offer CSP with certain insecure settings.
Those verdicts finally lead to a score of 47%
What do you think of those findings? Quite a difference to an A+ rated site by ssl-labs…
Mailserver with dkim/spf/dmarc enabled gets a slightly better rating but still only 62% again because of missing ipv6, dnssec, dane, ciphers, key exchange parameters and client-initiated renegotiation…
I would be interested in some of our expterts judgement of those results this site is delivering. Do they exagerate? I mean ipv6 - camon…
And if they have some valid points - do you have recomandations to implement in a nethserver environnement to augment security?
For the record some links, that I did not yet have the time to read through and thought maybe first ask here instead of wasting time for maybe exagerated safety need: