Generating TLSA, SSHFP and OPENPGPKEY records yum install - - PowerPoint PPT Presentation

generating tlsa sshfp and openpgpkey records yum install
SMART_READER_LITE
LIVE PREVIEW

Generating TLSA, SSHFP and OPENPGPKEY records yum install - - PowerPoint PPT Presentation

Apr 20, 2023 102 likes •303 views

DNSSEC / DANE demo Paul Wouters Senior software engineer, Red Hat October 17, 2015 1 Paul Wouters <pwouters@redhat.com> Generating TLSA, SSHFP and OPENPGPKEY records yum install hash-slinger tlsa --create www.example.com (for

slide-1
SLIDE 1

Paul Wouters <pwouters@redhat.com> 1

DNSSEC / DANE demo

Paul Wouters Senior software engineer, Red Hat October 17, 2015

slide-2
SLIDE 2

Paul Wouters <pwouters@redhat.com> 2

Generating TLSA, SSHFP and OPENPGPKEY records

  • yum install hash-slinger
  • tlsa --create www.example.com (for https)
  • sshfp -a (known_hosts)
  • sshfp -a -d -d nohats.ca -n ns0.nohats.ca (axfr+scan)
  • openpgpkey --create pwouters@fedoraproject.org
slide-3
SLIDE 3

Paul Wouters <pwouters@redhat.com> 3

Verifying TLSA, SSHFP and OPENPGPKEY records

  • tlsa --verify www.example.com
  • openpgpkey --verify pwouters@fedoraproject.org
  • openpgpkey --fetch pwouters@fedoraproject.org
slide-4
SLIDE 4

Paul Wouters <pwouters@redhat.com> 4

Configure postfix to use TLS

  • Generate TLS key, certificate and CA-certificate
  • Enable TLS in postfix:
  • postconf -e "smtpd_tls_security_level = may"
  • postconf -e "smtpd_tls_key_file =

/etc/postfix/ssl/server.key"

  • postconf -e "smtpd_tls_cert_file =

/etc/postfix/ssl/server.pem"

  • postconf -e “smtpd_tls_CAfile =

/etc/postfix/ssl/cacert.pem”

  • postconf -e "smtpd_tls_security_level = may"
  • postfix reload
slide-5
SLIDE 5

Paul Wouters <pwouters@redhat.com> 5

Configure postfix to use DNSSEC and DANE

  • postconf -e "smtp_dns_support_level = dnssec"
  • postconf -e "smtp_tls_security_level = dane"
  • Ensure the server postfix runs on is configured to use

a DNSSEC capable server specified in /etc/resolv.conf

(you can point to 8.8.8.8 or 193.110.157.123)

slide-6
SLIDE 6

Paul Wouters <pwouters@redhat.com> 6

Postfix now requires TLS when a TLSA record is present

slide-7
SLIDE 7

Paul Wouters <pwouters@redhat.com> 7

Postfix validates the TLSA record before sending email

slide-8
SLIDE 8

Paul Wouters <pwouters@redhat.com> 8

Publishing an OPENPGPKEY:

  • Generate a new gpg key, for example using gnupg
slide-9
SLIDE 9

Paul Wouters <pwouters@redhat.com> 9

Publishing an OPENPGPKEY:

  • Generate a new gpg key, for example using gnupg
slide-10
SLIDE 10

Paul Wouters <pwouters@redhat.com> 10

Publishing an OPENPGPKEY:

  • Create an OPENPGPKEY record (in generic format)
slide-11
SLIDE 11

Paul Wouters <pwouters@redhat.com> 11

Publishing an OPENPGPKEY:

  • Create an OPENPGPKEY record (in rfc format)
slide-12
SLIDE 12

Paul Wouters <pwouters@redhat.com> 12

Publish your OPENPGPKEY and verify it:

  • Add record to zone, re-sign and propagate zone, then:
slide-13
SLIDE 13

Paul Wouters <pwouters@redhat.com> 13

  • penpgpkey tool warns about email mismatch
slide-14
SLIDE 14

Paul Wouters <pwouters@redhat.com> 14

Demo of openpgpkey-milter using OPENPGPKEY

slide-15
SLIDE 15

Paul Wouters <pwouters@redhat.com> 15

View of email send via postfix + openpgpkey-milter

slide-16
SLIDE 16

Paul Wouters <pwouters@redhat.com> 16

SSHFP record: enable DNSSEC in ssh client

  • Can be done in user's own ~/.ssh/ssh_config
  • Can be done globally in /etc/ssh/ssh_config
  • To only display extra informational text for ssh, use:

VerifyHostKeyDNS ask

  • To automatically accept the key when found in DNS

VerifyHostKeyDNS yes

slide-17
SLIDE 17

Paul Wouters <pwouters@redhat.com> 17

Connecting with ssh using VerifyHostKeyDNS ask

slide-18
SLIDE 18

Paul Wouters <pwouters@redhat.com> 18

Connecting with ssh using VerifyHostKeyDNS yes

slide-19
SLIDE 19

Paul Wouters <pwouters@redhat.com> 19

ssh client detecting Man-in-the-middle attack