Re: [exim] DNSSEC, TLSA, DKIM howto's

Top Page
Delete this message
Reply to this message
Author: Mark Elkins
Date:  
To: exim-users
Subject: Re: [exim] DNSSEC, TLSA, DKIM howto's
On Sat, 2014-10-11 at 02:37 +0000, Viktor Dukhovni wrote:
> On Fri, Oct 10, 2014 at 11:43:06PM +0200, Mark Elkins wrote:
>
> > I control both server and DNS. I went with:
> >
> > _25._tcp.mje99.posix.co.za. IN TLSA 3 0 1 {hexxy stuff}
>
> Note however, that with the "za" TLD unsigned, most sites will not
> be able to validate your zone keys/signature. At least my DNS
> resolver is not using any DLV look-aside servers. So in effect
> your domain looks like an unsigned non-DANE domain.


:-(

I do use DLV look-aside. With Look-aside - DNSSEC functionality should
be fine.

> > I'm unsure of the middle digit...
> > 0 = Full certificate
> > 1 = SubjectPublicKeyInfo
> > ... doesn't mean very much to me.
>
> The digest can either cover the entire certificate, or just the
> enclosed public key. I recommend the latter. Starting with
> a certificate file, you can obtain the hex bits via:
>
>     $ openssl x509 -in cert.pem -noout -pubkey |
>     openssl pkey -pubin -outform DER |
>     openssl dgst -sha256 | 
>     awk '{printf "IN TLSA 3 1 1 %s\n", $NF}'


So the code "openssl x509 -noout -pubkey | openssl pkey -pubin" selects
just the Public Key portion.
The advantage of doing so is not yet clear to me.
I presume the motivation for using the Public-Key instead of the whole
Certificate is either simplicity or less prone to bad key management?
Can you please clarify the reasoning?

Could your reasoning be that the Public-Key would remain constant for
the same CSR regardless of whether the Certificate is self-signed or
signed (or resigned) by a CA? ... or in other words - Certificate
rollover will not break a TLSA using just the Public-Key?
But wouldn't that then break the tie to one's preferred CA?

At least I now understand the purpose/effect for the "Matching Type"
middle digit.

> This is of course somewhat moot with "za" unsigned.


Current excuse: ZA is not yet managed by the ZACR (ZA Central Registry)
so we can't sensibly sign it (Politics). I'll probably be involved when
this does happen - but for now, hands are tied. CO.ZA itself is ready.

Getting off topic, but I assume this would help other people in similar
predicaments - where they perhaps have to use DLV look-aside for now.
-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
mje@???       Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za