« Previous 1 2 3 4 5
Transport Encryption with DANE and DNSSEC
Safe Transport
TLSA RR
The administrator still needs to enter a matching TLSA RR in the signed zone of the MX. A TLSA generator [6] helps create the resource record. Anyone who has a CA-signed certificate selects the 3 , 1 radio buttons and then 1 again (Figure 2), copies the certificate into the designated input field, and then specifies how the related service is reached.
The generated output is then transferred into the zone file. The new entry for requests is available after updating the serial number and a reload. The policy is now armed. The Sys4 DANE validator [7] from email specialist Patrick Koetter helps by checking thoroughly whether the published TLS policy is without defects.
Infos
- ISPs removing their customers' email encryption: https://www.eff.org/de/deeplinks/2014/11/starttls-downgrade-attacks
- Google, Yahoo SMTP email severs hit in Thailand: http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand
- DigiNotar debacle: https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
- TurkTrust fraudulent certificates: https://bto.bluecoat.com/security-advisory/sa73
- Unbound: https://www.unbound.net/index.html
- TLSA generator: https://www.huque.com/bin/gen_tlsa
- DANE validator: https://dane.sys4.de
« Previous 1 2 3 4 5
Buy this article as PDF
(incl. VAT)