SlideShare ist ein Scribd-Unternehmen logo
1 von 31
DANE/DNSSEC/TLS
Testing in the Go6lab
Jan Žorž, ISOC/Go6 Institute
jan@go6.si
zorz@isoc.org
Acknowledgement
I would like to thank the Internet Society for
letting me spend some of my ISOC working time
in the go6lab testing all these new and exciting
protocols and mechanisms that make the
Internet a bit better and a more secure place…
DNSSEC implementation in go6lab
• Powerdns server (used as primary for non-
signed domains) as “hidden” primary DNS
server
• OpenDNSSEC platform for signing domains
• BIND9 DNS servers as secondaries to
OpenDNSSEC to serve signed zones
• Virtualization used: PROXMOX 3.4
• OS templates: fedora-20, Centos6/7
DNSSEC implementation in go6lab
• “Bump in a wire”
• Two public “primary” servers
• Concept:
DNSSEC in go6lab
• That was fairly easy and it works very well.
• Implementation document used from Matthijs
Mekking:
http://go6.si/docs/opendnssec-start-guide-draft.pdf
DANE experiment
• When DNSSEC was set up and functioning we
started to experiment with DANE (DNS
Authenticated Name Entities).
• Requirements:
– DNSSEC signed domains
– Postfix server with TLS support > 2.11
• We decided on Postfix 3.0.1
DANE
• TLSA record for mx.go6lab.si
_25._tcp.mx.go6lab.si. IN TLSA 3 0 1
B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC
25908DA05E2 A84748ED
It’s basically a hash of TLS certificate on mx.go6lab.si
More about DANE:
http://www.internetsociety.org/deploy360/resources/da
ne/
What is DANE and how does it work
DANE verification
• Mx.go6lab.si was able to verify TLS cert to T-2
mail server and nlnet-labs and some others…
mx postfix/smtp[31332]: Verified TLS connection established to
smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
dicht postfix/smtp[29540]: Verified TLS connection established to
mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Postfix config
smtpd_use_tls = yes
smtpd_tls_security_level = may
smtpd_tls_key_file = /etc/postfix/ssl/server.pem
smtpd_tls_cert_file = /etc/postfix/ssl/server.pem
smtpd_tls_auth_only = no
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_security_level = dane
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 1
tls_random_exchange_name = /var/run/prng_exch
tls_random_source = dev:/dev/urandom
tls_smtp_use_tls = yes
Malformed TLSA record
• We created a TLSA record with a bad hash (one
character changed)
• Postfix failed to verify it and refused to send a message
mx postfix/smtp[1765]: Untrusted TLS connection established to
mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with
cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not
trusted
1M top Alexa domains and DANE
• We fetched top 1 million Alexa domains and
created a script that sent an email to each of
them ( test-dnssec-dane@[domain] )
• After some tweaking of the script we got
some good results
• Then we built a script that parsed mail log file
and here are the results:
Results
• Out of 1 million domains, 992,232 of them had
MX record and mail server.
• Nearly 70% (687,897) of all attempted SMTP
sessions to Alexa top 1 million domains MX
records were encrypted with TLS
• Majority of TLS connections (60%) were
established with trusted certificate
• 1,382 connections where remote mail server
announced TLS capability failed with "Cannot
start TLS: handshake failure"
More results
TLS established connections ratios are:
Anonymous: 109.753
Untrusted: 167.063
Trusted: 410.953
Verified: 128
Quick guide: Anonymous (opportunistic TLS with no
signature), Untrusted (peer certificate not signed by trusted
CA), Trusted (peer certificate signed by trusted CA) and
Verified (verified with TLSA by DANE).
DANE Verified
Verified: 128 !!!
Mail distribution
Mail Servers # Domains Handled TLS State
google.com 125,422 Trusted
secureserver.net 35,759 Some Trusted, some
no TLS at all
qq.com 11,254 No TLS
Yandex.ru 9,268 Trusted
Ovh.net 8.531 Most Trusted, with
redirect servers
having no TLS at all
Mail distribution
Mail Servers # Domains Handled TLS State
Emailsrvr.com 8,262 Trusted
Zohomail.com 2.981 Trusted
Lolipop.jp 1.685 No TLS
Kundenserver.de 2,834 Trusted
Gandi.net 2,200 Anonymous
DNSSEC? DANE?
None of these “big” mail servers (and
their domains) are DNSSEC signed
(that means no DANE for them
possible).
• Of course, with wrong certificate hash in TLSA
record (refuses to send mail)
• If domain where MX record resides is not
DNSSEC signed (can’t trust the data in MX, so
no verification)
• If TLSA record published in non-DNSSEC zone
(can’t trust the data in TLSA, so no
verification)
When do DANE things fail?
• go6lab.si zone is signed, so is mx.go6lab.si
• there is TLSA for mx.go6lab.si, also signed
• domain zorz.si is signed and MX points to
mx.go6lab.si
• domain ncc.si is not signed and MX points to
mx.go6lab.si
• We send email to jan@zorz.si and jan@ncc.si
When do things fail? (example)
When I send email to jan@zorz.si (signed domain):
Verified TLS connection established to
mx.go6lab.si[2001:67c:27e4::23]:25:
When I send email to jan@ncc.si (not signed domain):
Anonymous TLS connection established to
mx.go6lab.si[2001:67c:27e4::23]:25:
When do things fail? (example)
• We extracted .si domains from that top 1m
from Alexa and added some dnssigned and
some other “usual suspects”
• …and here are results!
SLO email servers test
All contacted mail servers analysis
Of 397 Mail Servers:
Type # Description
Anonymous TLS Servers 95 No peer certificate, no verification, just
anonymous encryption
Untrusted TLS Servers 104 Peer certificate not signed by trusted CA
Trusted TLS Servers 103 Peer certificate signed by trusted CA,
unverified peer name
Verified (DANE) TLS Servers 9 Peer certificate signed by trusted CA and a
verified peer name
No TLS Servers 90 No TLS encryption at all, not even as an
option.
All SMTP sessions analysis:
Number of all established SMTP sessions: 554
Number of all succesful TLS sessions: 504
Number of all failed TLS sessions: 6
Number of sessions with NO TLS at all: 44
Number of IPv6 SMTP sessions: 53
Number of IPv4 SMTP sessions: 501
All domains checked analysis:
All domains checked: 610
NON DNSSEC signed domains: 575
DNSSEC signed domains: 35
Domains with no MX record: 56
DANE enabled mail servers:
- edo.kr-neki.si
- mail.go6lab.si
- mx1.t-2.net
- mx2.t-2.net
- mx.go6lab.si
- protector.rajmax.si
- renato.ni-re.net
- smtp-bad-in-1.t-2.net
- smtp-good-in-2.t-2.si
Mail servers with NO TLS capability
• The list is too long and I would not like to do
public shaming here…
• …but the list can be found here: 
http://bgp.go6.si/email-research/results.txt
Conclusions
• 70% of email can be encrypted in some way,
you just need to enable TLS on your server
• Low number of DNSSEC signed
domains/servers
• Even lower number of DANE/TLSA verified
servers/connections
• It’s easy, go and do it – it’s not the end of the
world and it helps with verifying who are you
sending emails to – and vice versa ;)
Q&A
Questions? Protests? Suggestions?
Complaints?
http://bgp.go6.si/email-research/results.txt
<jan@go6.si>

Weitere ähnliche Inhalte

Was ist angesagt?

Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsPeter R. Egli
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSShumon Huque
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsMen and Mice
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 

Was ist angesagt? (20)

Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
ION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get InvolvedION Cape Town - IETF Update and How to Get Involved
ION Cape Town - IETF Update and How to Get Involved
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
DNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security ExtensionsDNSSEC - Domain Name System Security Extensions
DNSSEC - Domain Name System Security Extensions
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
 
The DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rollsThe DNSSEC KSK of the root rolls
The DNSSEC KSK of the root rolls
 
DNSSEC implementation in Russia
DNSSEC implementation in Russia DNSSEC implementation in Russia
DNSSEC implementation in Russia
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2
 
5 technical-dns-workshop-day3
5 technical-dns-workshop-day35 technical-dns-workshop-day3
5 technical-dns-workshop-day3
 

Ähnlich wie DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town

Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL EnglishSSL247®
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)Port25 Solutions
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured  CommunicationsTLS/SSL - Study of Secured  Communications
TLS/SSL - Study of Secured CommunicationsNitin Ramesh
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentationMelinda Shore
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiYossi Sassi
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and securityMichael Earls
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECShumon Huque
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)Gabriella Davis
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 

Ähnlich wie DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town (20)

ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6labION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
ION Bangladesh - DANE, DNSSEC, and TLS Testing in the Go6lab
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Understanding DNS Security
Understanding DNS SecurityUnderstanding DNS Security
Understanding DNS Security
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
SSL overview
SSL overviewSSL overview
SSL overview
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
TLS/SSL - Study of Secured Communications
TLS/SSL - Study of Secured  CommunicationsTLS/SSL - Study of Secured  Communications
TLS/SSL - Study of Secured Communications
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
getdns PyCon presentation
getdns PyCon presentationgetdns PyCon presentation
getdns PyCon presentation
 
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi SassiInSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
 
Dns protocol design attacks and security
Dns protocol design attacks and securityDns protocol design attacks and security
Dns protocol design attacks and security
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
SSL.ppt
SSL.pptSSL.ppt
SSL.ppt
 
DANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSECDANE and Application Uses of DNSSEC
DANE and Application Uses of DNSSEC
 
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
1086: The SSL Problem and How to Deploy SHA2 Certificates (with Mark Myers)
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 

Mehr von Deploy360 Programme (Internet Society)

Mehr von Deploy360 Programme (Internet Society) (20)

ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success StoriesION Belgrade - Jordi Palet Martinez IPv6 Success Stories
ION Belgrade - Jordi Palet Martinez IPv6 Success Stories
 
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter PresentationION Belgrade - ISOC Serbia Belgrade Chapter Presentation
ION Belgrade - ISOC Serbia Belgrade Chapter Presentation
 
ION Belgrade - IETF Update
ION Belgrade - IETF UpdateION Belgrade - IETF Update
ION Belgrade - IETF Update
 
ION Belgrade - Opening Slides
ION Belgrade - Opening SlidesION Belgrade - Opening Slides
ION Belgrade - Opening Slides
 
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)ION Belgrade - MANRS by Serbian Open eXchange (SOX)
ION Belgrade - MANRS by Serbian Open eXchange (SOX)
 
ION Belgrade - Closing Slides
ION Belgrade - Closing SlidesION Belgrade - Closing Slides
ION Belgrade - Closing Slides
 
AusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRSAusNOG - Two Years of Good MANRS
AusNOG - Two Years of Good MANRS
 
ION Malta - IETF Update
ION Malta - IETF UpdateION Malta - IETF Update
ION Malta - IETF Update
 
ION Malta - MANRS Introduction
ION Malta - MANRS IntroductionION Malta - MANRS Introduction
ION Malta - MANRS Introduction
 
ION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSECION Malta - Introduction to DNSSEC
ION Malta - Introduction to DNSSEC
 
ION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLSION Malta - DANE: The Future of TLS
ION Malta - DANE: The Future of TLS
 
ION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & AccountabilityION Malta - IANA Transition Roles & Accountability
ION Malta - IANA Transition Roles & Accountability
 
ION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: FinlandION Malta - IPv6 Case Study: Finland
ION Malta - IPv6 Case Study: Finland
 
ION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 TransitionION Malta - Seeweb Thoughts on IPv6 Transition
ION Malta - Seeweb Thoughts on IPv6 Transition
 
ION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for youION Malta - Seeweb Why MANRS is good for you
ION Malta - Seeweb Why MANRS is good for you
 
ION Malta - Opening Slides
ION Malta - Opening SlidesION Malta - Opening Slides
ION Malta - Opening Slides
 
ION Malta - Closing Slides
ION Malta - Closing SlidesION Malta - Closing Slides
ION Malta - Closing Slides
 
ION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internetION Durban - How peering behaviour affects growth of the internet
ION Durban - How peering behaviour affects growth of the internet
 
ION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng ChapterION Durban - Introduction to ISOC Gauteng Chapter
ION Durban - Introduction to ISOC Gauteng Chapter
 
ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?ION Durban - What's Happening at the IETF?
ION Durban - What's Happening at the IETF?
 

Kürzlich hochgeladen

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 

Kürzlich hochgeladen (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...Workshop - Best of Both Worlds_ Combine  KG and Vector search for  enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 

DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town

  • 1. DANE/DNSSEC/TLS Testing in the Go6lab Jan Žorž, ISOC/Go6 Institute jan@go6.si zorz@isoc.org
  • 2. Acknowledgement I would like to thank the Internet Society for letting me spend some of my ISOC working time in the go6lab testing all these new and exciting protocols and mechanisms that make the Internet a bit better and a more secure place…
  • 3. DNSSEC implementation in go6lab • Powerdns server (used as primary for non- signed domains) as “hidden” primary DNS server • OpenDNSSEC platform for signing domains • BIND9 DNS servers as secondaries to OpenDNSSEC to serve signed zones • Virtualization used: PROXMOX 3.4 • OS templates: fedora-20, Centos6/7
  • 4. DNSSEC implementation in go6lab • “Bump in a wire” • Two public “primary” servers • Concept:
  • 5. DNSSEC in go6lab • That was fairly easy and it works very well. • Implementation document used from Matthijs Mekking: http://go6.si/docs/opendnssec-start-guide-draft.pdf
  • 6. DANE experiment • When DNSSEC was set up and functioning we started to experiment with DANE (DNS Authenticated Name Entities). • Requirements: – DNSSEC signed domains – Postfix server with TLS support > 2.11 • We decided on Postfix 3.0.1
  • 7. DANE • TLSA record for mx.go6lab.si _25._tcp.mx.go6lab.si. IN TLSA 3 0 1 B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC 25908DA05E2 A84748ED It’s basically a hash of TLS certificate on mx.go6lab.si More about DANE: http://www.internetsociety.org/deploy360/resources/da ne/
  • 8. What is DANE and how does it work
  • 9.
  • 10.
  • 11. DANE verification • Mx.go6lab.si was able to verify TLS cert to T-2 mail server and nlnet-labs and some others… mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
  • 12. Postfix config smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/server.pem smtpd_tls_cert_file = /etc/postfix/ssl/server.pem smtpd_tls_auth_only = no smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtp_tls_security_level = dane smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtp_tls_loglevel = 1 tls_random_exchange_name = /var/run/prng_exch tls_random_source = dev:/dev/urandom tls_smtp_use_tls = yes
  • 13. Malformed TLSA record • We created a TLSA record with a bad hash (one character changed) • Postfix failed to verify it and refused to send a message mx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted
  • 14. 1M top Alexa domains and DANE • We fetched top 1 million Alexa domains and created a script that sent an email to each of them ( test-dnssec-dane@[domain] ) • After some tweaking of the script we got some good results • Then we built a script that parsed mail log file and here are the results:
  • 15. Results • Out of 1 million domains, 992,232 of them had MX record and mail server. • Nearly 70% (687,897) of all attempted SMTP sessions to Alexa top 1 million domains MX records were encrypted with TLS • Majority of TLS connections (60%) were established with trusted certificate • 1,382 connections where remote mail server announced TLS capability failed with "Cannot start TLS: handshake failure"
  • 16. More results TLS established connections ratios are: Anonymous: 109.753 Untrusted: 167.063 Trusted: 410.953 Verified: 128 Quick guide: Anonymous (opportunistic TLS with no signature), Untrusted (peer certificate not signed by trusted CA), Trusted (peer certificate signed by trusted CA) and Verified (verified with TLSA by DANE).
  • 18. Mail distribution Mail Servers # Domains Handled TLS State google.com 125,422 Trusted secureserver.net 35,759 Some Trusted, some no TLS at all qq.com 11,254 No TLS Yandex.ru 9,268 Trusted Ovh.net 8.531 Most Trusted, with redirect servers having no TLS at all
  • 19. Mail distribution Mail Servers # Domains Handled TLS State Emailsrvr.com 8,262 Trusted Zohomail.com 2.981 Trusted Lolipop.jp 1.685 No TLS Kundenserver.de 2,834 Trusted Gandi.net 2,200 Anonymous
  • 20. DNSSEC? DANE? None of these “big” mail servers (and their domains) are DNSSEC signed (that means no DANE for them possible).
  • 21. • Of course, with wrong certificate hash in TLSA record (refuses to send mail) • If domain where MX record resides is not DNSSEC signed (can’t trust the data in MX, so no verification) • If TLSA record published in non-DNSSEC zone (can’t trust the data in TLSA, so no verification) When do DANE things fail?
  • 22. • go6lab.si zone is signed, so is mx.go6lab.si • there is TLSA for mx.go6lab.si, also signed • domain zorz.si is signed and MX points to mx.go6lab.si • domain ncc.si is not signed and MX points to mx.go6lab.si • We send email to jan@zorz.si and jan@ncc.si When do things fail? (example)
  • 23. When I send email to jan@zorz.si (signed domain): Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: When I send email to jan@ncc.si (not signed domain): Anonymous TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: When do things fail? (example)
  • 24. • We extracted .si domains from that top 1m from Alexa and added some dnssigned and some other “usual suspects” • …and here are results! SLO email servers test
  • 25. All contacted mail servers analysis Of 397 Mail Servers: Type # Description Anonymous TLS Servers 95 No peer certificate, no verification, just anonymous encryption Untrusted TLS Servers 104 Peer certificate not signed by trusted CA Trusted TLS Servers 103 Peer certificate signed by trusted CA, unverified peer name Verified (DANE) TLS Servers 9 Peer certificate signed by trusted CA and a verified peer name No TLS Servers 90 No TLS encryption at all, not even as an option.
  • 26. All SMTP sessions analysis: Number of all established SMTP sessions: 554 Number of all succesful TLS sessions: 504 Number of all failed TLS sessions: 6 Number of sessions with NO TLS at all: 44 Number of IPv6 SMTP sessions: 53 Number of IPv4 SMTP sessions: 501
  • 27. All domains checked analysis: All domains checked: 610 NON DNSSEC signed domains: 575 DNSSEC signed domains: 35 Domains with no MX record: 56
  • 28. DANE enabled mail servers: - edo.kr-neki.si - mail.go6lab.si - mx1.t-2.net - mx2.t-2.net - mx.go6lab.si - protector.rajmax.si - renato.ni-re.net - smtp-bad-in-1.t-2.net - smtp-good-in-2.t-2.si
  • 29. Mail servers with NO TLS capability • The list is too long and I would not like to do public shaming here… • …but the list can be found here:  http://bgp.go6.si/email-research/results.txt
  • 30. Conclusions • 70% of email can be encrypted in some way, you just need to enable TLS on your server • Low number of DNSSEC signed domains/servers • Even lower number of DANE/TLSA verified servers/connections • It’s easy, go and do it – it’s not the end of the world and it helps with verifying who are you sending emails to – and vice versa ;)