A Weird Imagination

DNSSEC on hosted DNS

Posted in

DNS is the system that provides information on hostnames like the IP address of aweirdimagination.net so your browser can connect to this website. DNSSEC is an extension which uses cryptographic signatures in order to verify that information is actually correct, preventing certain classes of attacks which could cause you to believe you are connecting to one server while actually connecting to a computer under the attacker's control. Additionally, since DNSSEC verifies information obtained through DNS has not been tampered with, it allows for DNS to be used for certificates, so servers can be authenticated for encrypted protocols without the need for relying on certificate authorities.

The problem

Unfortunately, DNSSEC support is not widespread in clients or servers. Particularly, I did not want to run my own DNS server and have to worry about keeping it updated and being aware of any security vulnerabilities. I wanted to be able to, for a reasonable price, have a domain with full DNSSEC support and use it for securely advertising the https certificate for this website and the ssh server key for the web server. (Admittedly, I am trusting the DNS host more than strictly necessary, but realistically, they are also my registrar so they could simply publish their own keys for my domain if they wanted to take it over.)

The solution

I settled on using easyDNS, since they were the only DNS hosting provider I could find that offered what I wanted; specifically, they very recently added support for TLSA and SSHFP records (for https and ssh keys, respectively). I later found mentions of RAGE4, which also looks like it should work.

I followed easyDNS's DNSSEC guide. At first, their interface showed an error upon trying to actually create TLSA or SSHFP records, but I filed a support request and they fixed the bug within a couple days.

Of course, to get the most out of DNSSEC, we need to actually generate those records.

Generating TLSA records

TLSA records verify certificates for TLS connections, like those used when accessing a website with an https:// URL. To generate the proper format, you can use the tlsa tool in the hash-slinger package. If you already have a web server running with https support, it will just read the certificate and generate the proper record (you may need the --insecure option if you have not yet set up DNSSEC):

$ tlsa --create aweirdimagination.net
Got a certificate with Subject: /C=US/CN=www.aweirdimagination.net/emailAddress=dap56@cornell.edu
_443._tcp.aweirdimagination.net. IN TLSA 3 0 1 e010b00062fa5936ad1b8b3abc677c145094c54d5391c412e0c9a4c8c956a8c0

You can also generate the TLSA record from a certificate file or by pasting your certificate into this web tool.

Remember to put the TLSA records not on the actual domain, but on a special subdomain with the port number (443) and protocol (TCP), which correspond to the defaults for https. When actually setting the TLSA record, the part you want to give to your DNS host is what comes after TLSA in the output of tlsa. For the above, that would be

3 0 1 e010b00062fa5936ad1b8b3abc677c145094c54d5391c412e0c9a4c8c956a8c0

Client support (or lack thereof)

Do note that while tlsa --verify will tell you whether you have set this up correctly, no modern browser will actually use your TLSA records unless you install a plugin. Mozilla is in no rush to add support and Google has declared they do not intend to add support.

Generating SSHFP records

SSHFP records store ssh fingerprints in DNS so if you add

VerifyHostKeyDNS ask

to your ~/.ssh/config file, then your first login to a host will include Matching host key fingerprint found in DNS.:

$ ssh aweirdimagination.net
The authenticity of host 'aweirdimagination.net (128.208.4.112)' can't be established.
RSA key fingerprint is ff:99:5a:69:08:d4:83:55:c7:95:fa:d7:4e:c2:08:46.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?

The ssh-keygen command included with ssh will generate the records:

$ ssh-keygen -r aweirdimagination.net
aweirdimagination.net IN SSHFP 1 1 825a7ff74fe77b0e7354c44f675d595c177b2496
aweirdimagination.net IN SSHFP 1 2 e376ac225bd0469612860c47ac79fa51486db609ca6e8d34a0020411cf6a9f92
aweirdimagination.net IN SSHFP 2 1 0854b02a3c8b2cb116373a142d75206244775b7a
aweirdimagination.net IN SSHFP 2 2 a051aa98f2a87dce8c9fd319abd87d5822d6c3bfc23707992527a965b6058287

Once again, the actual record starts after SSHFP on each line. See this Unix StackExchange answer for a description of what those fields mean.

Comments

Have something to add? Post a comment by sending an email to comments@aweirdimagination.net. You may use Markdown for formatting.

There are no comments yet.