« Previous 1 2 3 4 5

Transport Encryption with DANE and DNSSEC

Safe Transport

TLSA RR

The administrator still needs to enter a matching TLSA RR in the signed zone of the MX. A TLSA generator [6] helps create the resource record. Anyone who has a CA-signed certificate selects the 3 , 1 radio buttons and then 1 again (Figure 2), copies the certificate into the designated input field, and then specifies how the related service is reached.

Figure 2: The TLSA generator comfortably produces TLSA RRs in the browser.

The generated output is then transferred into the zone file. The new entry for requests is available after updating the serial number and a reload. The policy is now armed. The Sys4 DANE validator [7] from email specialist Patrick Koetter helps by checking thoroughly whether the published TLS policy is without defects.

Infos

ISPs removing their customers' email encryption: https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks
Google, Yahoo SMTP email severs hit in Thailand: http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand
DigiNotar debacle: https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
TurkTrust fraudulent certificates: https://bto.bluecoat.com/security-advisory/sa73
Unbound: https://www.unbound.net/index.html
TLSA generator: https://www.huque.com/bin/gen_tlsa
DANE validator: https://dane.sys4.de

« Previous 1 2 3 4 5

Buy this article as PDF

Express-Checkout as PDF

Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES

SUBSCRIPTIONS

Print Subs

Digisubs

TABLET & SMARTPHONE APPS

US / Canada

UK / Australia

Related content

Hardening mail servers, clients, and connections
If you don't want to hand over your mail to a corporation, you have to operate your own mail server. Securing it sensibly involves some effort.

more »
Hardening network services with DNS
The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records.

more »
Posteo, Mailbox.org, Tutanota, and ProtonMail compared
Encryption and server locations in Germany and Switzerland are sought-after attributes in the search for a more secure and reliable email service. We compare four providers who promise to protect your privacy.

more »
Secure your data channel with stunnel
Stunnel provides a TLS wrapper with extensive configuration options to secure your data over insecure wireless networks.

more »
Solving the security problems of encrypted DNS
DNS encryption offers WiFi users good protection in public spaces; however, in the enterprise, it prevents the evaluation and filtering of name resolution.

more »

comments powered by Disqus

Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Most Popular

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
</a>

<hr>
</div>
</div>

<div class=