« Previous 1 2 3 4 5
Transport Encryption with DANE and DNSSEC
Safe Transport
TLSA RR
The administrator still needs to enter a matching TLSA RR in the signed zone of the MX. A TLSA generator [6] helps create the resource record. Anyone who has a CA-signed certificate selects the 3 , 1 radio buttons and then 1 again (Figure 2), copies the certificate into the designated input field, and then specifies how the related service is reached.
Figure 2: The TLSA generator comfortably produces TLSA RRs in the browser.
The generated output is then transferred into the zone file. The new entry for requests is available after updating the serial number and a reload. The policy is now armed. The Sys4 DANE validator [7] from email specialist Patrick Koetter helps by checking thoroughly whether the published TLS policy is without defects.
Infos
- ISPs removing their customers' email encryption: https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks
- Google, Yahoo SMTP email severs hit in Thailand: http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand
- DigiNotar debacle: https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
- TurkTrust fraudulent certificates: https://bto.bluecoat.com/security-advisory/sa73
- Unbound: https://www.unbound.net/index.html
- TLSA generator: https://www.huque.com/bin/gen_tlsa
- DANE validator: https://dane.sys4.de
« Previous 1 2 3 4 5
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Hardening mail servers, clients, and connections
If you don't want to hand over your mail to a corporation, you have to operate your own mail server. Securing it sensibly involves some effort. -
Hardening network services with DNS
The Domain Name System, in addition to assigning IP addresses, lets you protect the network communication of servers in a domain. DNS offers further hardening of network protocols – in particular, SSH fingerprinting and CAA records. -
Posteo, Mailbox.org, Tutanota, and ProtonMail compared
Encryption and server locations in Germany and Switzerland are sought-after attributes in the search for a more secure and reliable email service. We compare four providers who promise to protect your privacy. -
Secure your data channel with stunnel
Stunnel provides a TLS wrapper with extensive configuration options to secure your data over insecure wireless networks. -
Solving the security problems of encrypted DNS
DNS encryption offers WiFi users good protection in public spaces; however, in the enterprise, it prevents the evaluation and filtering of name resolution.