Secure your website with DANE (DNS-based Authentication of Named Entities)

In our days just having your website running on SSL seam to not be enough since the attack on march 11 2014 on Comodo Group and Diginotar showed us that the simple trust is not justified. You can never know that your if your certificate is a valid one or it is one forged by a Man in the middle type of attack. Here is where DANE comes in the picture by adding another layer of security by tying the x509 certificate generated for your website to the DNS(Domain Name Server) of your website.
Background: This installation would be using DNSSEC on PoweDNS with mysql backend as a dns server and will use a self signed certificate to show you that it is possible of securing a website using self signed certificates. Using a self signed certificate is not recommended when you are using a high profile website which would do professional services cause your browser would not recognize the certificate issuer and will most probably show it as a broken certificate which does not look very professinal. For this example will be using the domain of this website z0z0.tk. Note .tk is not a secured top level domain therefore if you verify any domain using .tk you would be most probably getting some error messages.

Let's get jump in the middle. Will now show how to add a domain to powerdns and create the most important records. Will assume that's done already.
First will check the domain to make sure that there are no errors in your records.

#pdnssec check-zone z0z0.tk
Checked 12 records of 'z0z0.tk', 0 errors, 0 warnings.

Next we will check if your zone is already seccured or not.

# pdnssec show-zone z0z0.tk
Zone is not actively secured
Zone is not presigned
No keys for zone 'z0z0.tk'.

After we verified and made sure that our domain is not secured. You will need to decide between NSEC3 and NSEC3 narrow. Will be using NSEC3 narrow since using NSEC3 will need to rectify the zone after every change by running pdnssec rectify-zone domain.com but don't want that extra layer of complexity.
To enable the dnssec for the zone run:

#dnssec secure-zone z0z0.tk
Zone z0z0.tk secured
Adding NSEC ordering information 
Set the zone as NSEC3 narrow

#pdnssec set-nsec3 z0z0.tk '1 1 10 beef' narrow
NSEC3 set, please rectify-zone if your backend needs it

After you done that let's check the domain again:

pdnssec show-zone z0z0.tk |grep DS
DS = z0z0.tk IN DS 13847 8 1 152ec91bd8a82237725ad709a271b61ab8fe323c ; ( SHA1 digest )
DS = z0z0.tk IN DS 13847 8 2 082cce39ea9b320e38091f5d58ed85879bce37aaf52ebd6bb47f1b20aad03831 ; ( SHA256 digest )
DS = z0z0.tk IN DS 13847 8 3 1179f20f100866dd1c313c8a4e9532154d189b2392dd3d1489961a02436f5c45 ; ( GOST R 34.11-94 digest )
DS = z0z0.tk IN DS 13847 8 4 e62269b6b212a7a060e95bfe3787a0e0dbe811123c83f2563e3a8418a6b1dcf418305def8de9d372392802524b6e41fe ; ( SHA-384 digest )

You will need to add the DS records to your domain registrar. If the registrar does not support that temporarly you can add it to DLV ISC until your registrar would implement it. After everything is set up you can check your dnssec at the Verisign analyzer.

dnssec checker

As I said earlier that .tk does not support DS records therefore in the image you will see the errors related to that.
Now it's time to create the TLSA Record for your webserver. To do this we are using the TLSA Record Generator. When you filled the form click on the Generate button and you will get as result something like this:

Record generator result To add it to the powerdns login to your mysql server which holds the database for the powerdns and run the following command:

mysql>insert into records(domain_id, name, type, content, ttl) values (X,'_443._tcp.z0z0.tk.','TLSA','3 0 1 27ece48f3c037aa57fdf17924dc395a86585158d34f3e80bc13d65f9b92a1d7e', '3600');
Query OK, 1 row affected (0.09 sec)

where the X = id of your domain will be taken from the domains table.

Check the record of your domain via dig comand:

dig type52 _443._tcp.z0z0.tk

; <<>> DiG 9.8.3-P1 <<>> type52 _443._tcp.z0z0.tk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_443._tcp.z0z0.tk.     IN  TLSA

;; ANSWER SECTION:
_443._tcp.z0z0.tk.  3599    IN  TLSA    3 0 1 27ECE48F3C037AA57FDF17924DC395A86585158D34F3E80BC13D65F9 B92A1D7E

;; Query time: 317 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec  4 01:34:02 2014
;; MSG SIZE  rcvd: 82

Unfortunately no modern browsers does support DANE by default but luckily there is a plugin which can be installed on majority of the modern browsers downloadable from here.

After browsing our site with firefox with the plugin installed you can see the result of the DANE validation.

Keresztes Péter-Zoltán

Read more posts by this author.

Subscribe to IT Ghost

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!