#tlsa — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #tlsa, aggregated by home.social.
-
why monitor 9 email protocols when the industry standard is 5
the typical DMARC vendor covers DMARC, SPF, DKIM... sometimes BIMI & MTA-STS...
that was adequate in 2022
in 2026, email security has expanded
each protocol solves a specific failure mode
ignoring any of them means accepting a blind spot
I added them because I kept seeing real failures that the 5-protocol approach couldn't explain
-
🛡️ We’ve expanded DNSimple's DNS capabilities, TLSA record support is now live for all customers! 🚀
Strengthen your domain security with certificate pinning, DANE protocol, and non-ICANN TLD compatibility.
👀 Watch our video explainer for all the details: https://www.youtube.com/watch?v=B_8Cv6iyruI -
Obviously, changing the #certificate requires changing this #TLSA record in order to prevent false positives. Idealy both in the same automated process and would require API capabilities of your DNS provider. If they do not, you might want to consider moving the SOA to #Azure #DNS and use it's #API: https://learn.microsoft.com/en-us/rest/api/dns?WT.mc_id=M365-MVP-5000976
-
Day 19 of #ITAdvent. One other consideration of using Automatic Certificate Management Environment or #ACME is that you also need to update your #TLSA #DNS record for #DANE. This record contains the #certificate thumbprint, binding that certificate to that specific URI enabling clients to check authenticity.
-
Автоматизация обновления TLSA-записей для DANE: Интеграция с PowerDNS API
В современной экосистеме электронной почты безопасность доставки сообщений является критически важной. Протокол SMTP, будучи фундаментальным, изначально не был защищен. Для его защиты был разработан механизм SMTP TLS, который обеспечивает шифрование соединения между почтовыми серверами. Однако он уязвим к атакам "человек посередине" (MitM), если злоумышленник может подделать сертификат. Технология DANE (DNS-based Authentication of Named Entities) решает эту проблему, используя DNSSEC в качестве корня доверия. TLSA-запись в DNS связывает доменное имя сервера с его сертификатом или открытым ключом. Получатель почты может проверить, что сертификат отправителя соответствует записи в DNS, защищенной DNSSEC, что делает подделку практически невозможной. Для работы DANE необходимо, чтобы TLSA-записи всегда соответствовали действительным сертификатам на сервере. Этот процесс идеально подходит для автоматизации. На помощь можно использовать: Python-скрипт для автоматического обновления TLSA-записей Представленный Python-скрипт решает задачу автоматического обновления TLSA-записей на авторитативном DNS-сервере PowerDNS при обновлении сертификатов. Это ключевой компонент для поддержания актуальности DANE в инфраструктуре.
-
🚨 Fixing the PKI Mess: CAA + Your Own CA via DNS 🚨
Right now, any CA can issue a certificate for your domain. Even if you set a CAA record (`issue "letsencrypt.org"`), it only controls *who* can issue, not what cert is valid. This is broken.
🔐 What if we could fix this using DNS?
#Introducing CAA+CA Fingerprint: Self-Sovereign Certificate Authority
Instead of just saying *which CA can issue*, you publish your own CA's fingerprint in DNS. If your CA issues a cert for `awesomecars.com`, browsers should validate it against the DNS-published CA key.🔥 How It Works
You run your own CA (because why trust the cartel?). You then publish:
1️⃣ A CAA record specifying your own CA (with a fingerprint! 🔥)
2️⃣ A DNS record with your CA’s public key (like DKIM but for TLS!)🔹 Example DNS Setup for `awesomecars.com`:
```
awesomecars.com. IN CAA 0 issue "pki.awesomecars.com; sha256=abcd1234..."
pki.awesomecars.com. IN CERT 6 0 0 (--BEGIN CERTIFICATE-- ....)
```
Now, only certs signed by your CA are valid for `awesomecars.com`, even if another CA is tricked into issuing a rogue cert. No more CA hijacking!🚀 Why Is This Better Than the Current CA Model?
✅ Self-Sovereign Identity: If you own the domain, you should own its PKI.
✅ Prevents Rogue Certs: No government or rogue CA can fake a cert for your domain.
✅ Works Like DKIM for Email: Your CA’s public key is stored in DNSSEC-protected records, just like DKIM keys for email signing.
✅ No More External Trust Issues: You control your CA entirely, instead of relying on Google’s CA store.
✅ Perfect for Self-Hosting & Internal Networks: No need for external CA trust—your DNS is your trust model.🔥 Why Isn’t This a Thing Already?
Big Tech hates this idea because it removes their control:
❌ Google wants Certificate Transparency (CT), where they control which certs are logged.
❌ Commercial CAs make $$$ selling certs. This kills their business.
❌ DNSSEC adoption is intentionally kept low by the same companies who don’t want this to succeed.Browsers refuse to support TLSA for the same reason—they want centralized CA trust, not self-hosted PKI.
🔗 Who Needs to Implement This?
🚀 Self-hosters & Homelabs: Use this for your own infrastructure.
🚀 Email providers: Stop relying on public CAs!
🚀 Privacy-focused projects (Tor, Matrix, XMPP, Fediverse, etc.): A true decentralized PKI alternative.
🚀 Fediverse devs: Let’s push for DNS-based CA validation!What do you think? Would you trust your own CA in DNS over some random commercial CA?
🔁 Boost this if you want a decentralized PKI revolution!
🔥 This keeps the focus on self-hosting your own CA, highlights the security flaws of current PKI, and calls out Big Tech’s resistance to decentralized trust.
#PKI #Security #DNSSEC #DANE #TLSA #CAA #SelfHosting #Fediverse #Privacy #Decentralization #dns #linux
-
DNS 的 TLSA record
發現沒寫過 TLSA record,這是屬於 DANE (DNS-based Authentication of Named Entities),比較好理解就是透過 DNS 提供簽名認證資訊。
是因為看到 AWS 的 Amazon Route 53 這篇公告想到去查 TLSA record 的:「Amazon Route 53 announces HTTPS, SSHFP, SVCB, and TLSA DNS resource record support」。
目前 TLS certificate 認證的方式主要是
https://blog.gslin.org/archives/2024/10/31/12056/dns-%e7%9a%84-tlsa-record/
#AWS #Cloud #Computer #DNS #Murmuring #Network #Security #Service #amazon #aws #cloud #dns #record #route53 #service #tlsa
-
Claudia Plattner, President of German BSI, has just been featured in an article on email security in eco's dotmagazine. It's a wake up call and invitation to enhance email security in a joined effort :blobs:
I like it :ablobsmile:
#SPF #DKIM #DMARC #DANE #TLSA #MTASTS #TLSRPT #Mailsecurity #TeamBSI @bsi
-
Good things are coming to Exchange users it seems :think_starry_eyes: Took a bit longer than expected though 😉
-
So, inbound DANE for SMTP is set up as well. I just circumvented the rollover 'problem' on key changes by reusing the key for now:
-
The Internet Security Days 2024 marked the starting point for a new effort by eco and @bsi to raise adoption of modern email security standards across Germany and worldwide. I'm honored that I was allowed to shape some of the contents of this great event and mailsecurity is finally getting the attention it deserves 💌 :blobcatthx:
https://international.eco.de/news/internet-security-days-2024-it-security-for-email-ai-and-nis2/
#DMARC #SPF #DKIM #DANE #TLSA #MTASTS #TLSRPT #Mailsecurity #TeamBSI
-
Wichtiger Hinweis für alle die #LetsEncrypt Zertifikate mit #TLSA (DANE-TA) Records nutzen: Seit 2024-06-06 haben ausgestellte Zertifikate eine neue Intermediate CA, deswegen müssen neue Einträge erstellt werden, jetzt auch für die Backup-CAs.
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Wer also RSA+ECDSA Zertifikate nutzt muss die DNS-TLSA-Records für R10,R11,R12,R13,R14 und E5,E6,E7,E8,E9 hinzufügen.
-
I very much recommend this article on #EmailSecurity written by my colleague Kristina for eco's dotmagazine :blobcatreading: It'll give you a brief overview on both of our Technical Guidelines (BSI TR-03108 and BSI TR-03182) and what we released them for 😀👍
#SPF #DKIM #DMARC #DANE #TLSA #MTASTS #TLSRPT #Mailsecurity #TeamBSI
-
Changes at @letsencrypt affecting mail servers using DANE-TA(2) with LE certificates:
- https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
- https://list.sys4.de/hyperkitty/list/d[email protected]/message/ZTM3XQMI3XP7PWMWJTXBYDPVU4UENE24/
#DANE #TLSA -
Found another website with broken #DANE / #TLSA record (I'm becoming good at this ^^')
You might know this one if you're interested in #BGP or #DNS ;)
$ gnutls-cli --dane www.potaroo.net
...
- Status: The certificate is trusted.
- DANE: Verification failed. The certificate differs.
*** Fatal error: Error in the certificate. -
I wrote another #blogpost about managing your #DNS via #KnotDNS and #SaltStack, this time about how to #automate / #orchestrate your #TLSA records. http://michal.hrusecky.net/2024/02/salt-dns-web/
-
I wrote another #blogpost about managing your #DNS via #KnotDNS and #SaltStack, this time about how to #automate / #orchestrate your #TLSA records. http://michal.hrusecky.net/2024/02/salt-dns-web/
-
I wrote another #blogpost about managing your #DNS via #KnotDNS and #SaltStack, this time about how to #automate / #orchestrate your #TLSA records. http://michal.hrusecky.net/2024/02/salt-dns-web/
-
Cette déconvenue avec https://www.afnic.fr/ m'a permis de constater que le plugin #DANE / #TLSA que j'utilise dans Firefox fonctionne :
Page orange qui fait mal aux yeux avec message d'avertissement me demandant si je veux continuer à naviguer sur le site, malgré une erreur de validation
EDIT : module qui n'est plus dispo dans le magasin du Panda Roux :/
https://www.debian-fr.org/t/dnssec-dane-validator-plugin/89140
-
www.nic.cz changed its #TLSA RR but seems to forget to lower TTL before doing so. #Oops
$ dig +noall +answer _443._tcp.www.nic.cz TLSA
_443._tcp.www.nic.cz. 1334 IN TLSA 3 1 1 B0C8E88EEA57269FAD2A2F05AA0E1FFCED3281525CBC7185B52924D1 61FB0D5CAnd here's what the auth server says
$ dig +noall +answer @a.ns.nic.cz. _443._tcp.www.nic.cz TLSA
_443._tcp.www.nic.cz. 1800 IN TLSA 3 1 1 80D53BD4DABDDF319FE34806A80C1086DD270279F3DD87D90B9E8077 465E2BE5 -
Last year, all of you together have executed 691,984 tests on https://Internet.nl and we have seen many of you improving 🚀. Congrats 🎉 to all 2,929 champions, 24,535 websites and 45 hosters in the Hall of Fame 💯. Let’s keep pushing together for a better Internet in 2023!
#moderninternet #standards #ipv6 #dnssec #rpki #https #dmarc #dane #tlsa
-
Just realised that #HTTP3 (and #QUIC) will need proper #TLSA records when I'll configure it for my website (and my public resolver) ie. I'll need to create _udp TLSA records (that node is valid for TLSA, see https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#underscored-globally-scoped-dns-node-names )
Or it may be easier to use the _dane node (RFC 7671)? 🤔
eg.
_443._tcp.www IN CNAME www._dane
_443._udp.www IN CNAME www._dane
www._dane IN TLSA... -
👍 See: https://community.letsencrypt.org/t/understanding-smtp-dane-implementation-options/184274/4
For some more background info on DANE TLSA see:
- https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md
- https://github.com/baknu/DANE-for-SMTPHope this helps.
-
@journalduhacker Perso, j'ai pris les devant y a longtemps, j'ai activé le #DoH mais en le personnalisant sur un #dns voulu (ici le mien avec #DNSSEC ) du coup, si #Firefox vient à changer les paramètres quand a défini, la par contre, je le quitte...
Sinon, je regarde pour add #DANE dixit #TLSA en plus si nécessaire sur mes instances... (faut que je me renseigne la dessus...)
