Default enable automated DNSSEC and DANE

Would be great if Virtualmin could automate everythong on the followng page, then show you exactly what to copy/paste and insert into your DNS account at your registrar (verisign tucows namecheap godaddy or whatever).

From the virtualmin page "DNSSEC what an interesting journey"... https://www.virtualmin.com/node/37132

Another page asking how to get DNSSEC working because it doesn't work automatically! You have to manually submit data to your domain registrar... https://www.virtualmin.com/node/33108

https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

http://www.internetsociety.org/deploy360/resources/dane-test-sites/

http://dane.verisignlabs.com/

http://www.tlsa.info/

https://www.dnssec-validator.cz

This add-on for firefox or iceweasel tells you with an icon whether the site you're on has properly implemented DNSSEC. Hint: Virtualmin.com has broken DNSSEC!! Try for yourself and see... https://addons.mozilla.org/en-US/firefox/addon/dnssec-validator/

Status: 
Active

Comments

Diabolico's picture
Submitted by Diabolico on Mon, 06/06/2016 - 18:42

Now when you have reminded me i should make few minor changes. One of them is a script and instructions for cron to sign the zone every X days. To be honest i never used DNSSEC from Vmin but i think it works if you go to:

Vmin - System settings - Server templates - Default settings - BIND DNS domain
"Create DNSSEC key and sign new domains?" - Yes
"DNSSEC cryptographic algorithm" - NSEC3RSASHA1, to avoid zone walking
"Number of DNSSEC keys" - Zone key and key-signing key

Now how Vmin deal with re-sign of the zone every X days i dont know but i know it must be done every 30 days (max, but you can re-sign every X<30 days).

http://dnssec-debugger.verisignlabs.com/virtualmin.com This is a link to the verisign dnssec analysis page which shows the problems with virtualmin.com's DNSSEC.

Found 2 DNSKEY records for .
DS=19036/SHA-1 verifies DNSKEY=19036/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=19036 and DNSKEY=19036/SEP verifies the DNSKEY RRset
com
Found 1 DS records for com in the . zone
Found 1 RRSIGs over DS RRset
RRSIG=60615 and DNSKEY=60615 verifies the DS RRset
Found 2 DNSKEY records for com
DS=30909/SHA-256 verifies DNSKEY=30909/SEP
Found 1 RRSIGs over DNSKEY RRset
RRSIG=30909 and DNSKEY=30909/SEP verifies the DNSKEY RRset
virtualmin.com
No DS records found for virtualmin.com in the com zone
No DNSKEY records found
virtualmin.com A RR has value 198.154.100.99
No RRSIGs found

A nicer visualization of the DNSSEC problems on virtualmin.com using DNSVIZ a github project supported by Verisign and Sandia labs http://dnsviz.net/d/virtualmin.com/dnssec/ Excerpt: Insecure: virtualmin.com/A virtualmin.com/MX virtualmin.com/NS virtualmin.com/SOA virtualmin.com/TXT

Fixing DNSSEC implementaion to automatically do most of the work on this would make the DNSSEC working and the domain be secure secure... DNSSEC adds security to SMTP Email and Web! By vouching in the DNS records themselves that the MX and web addresses are signed and authorized to serve content or send emails... Great reasons to fix DNSSEC and DANE so it works pretty much effortlessly by default.

@Diabolico

Getting DNSSEC working requires the server admin to copy paste a bunch of text (the two DS keys ie Delegation Signer keys) into your domain registrar's web interface...

Getting DANE working requires Virtualmin to automatically add a special TLSA record to the virtual server's bind domain...

When both DANE and DNSSEC are working automatically for your vritual server, and you have installed the DNSSEC and DANE firefox add-ons... you'll see two additional green icons in your browser address bar!! One icon for good DNSSEC and one icon for good DANE/TLSA.

Just wondering on the timeline for implementing the automatically generated TLSA/DANE bind record piece....?

PS The page which demonstrates the TLSA DNS record generator algorithm... https://www.huque.com/bin/gen_tlsa

Diabolico's picture
Submitted by Diabolico on Fri, 06/10/2016 - 18:17

Well now i dont see what is the point of this topic. You started with automated DNSSEC in Vmin and then expanded on virtualmin.com as domain (and broken or missing DNSSEC).

I will tell you now why is bad to make it automated. Right now majority of my servers are on new hardware with ssd and depending on virtualization the keys are made from relatively fast to almost instant. But i will tell you now what would happen if you try to make the keys on old hardware with hdd or oversold server or both - your keys would take 2-3 to 4+ hours to generate (especially on openvz). To make this process automated it would probably stuck somewhere and be the cause for more problems. Anyone who need DNSSEC should know why he needs and how to make it work. Who doesnt know what is DNSSEC he doesnt need it and from client point of view more than 80-90% of them doesnt even know what is DNSSEC.

To make something what majority of Vmin users doesnt even know that exist or what is the purpose its just calling for more trouble than anything else.

I might only half understand the intricacies of DNSSEC but I know that to improve overall security implementing it globally is "a good thing". The more automated and less prone to human error the process of having it can become the better.

I'd love to know where you are getting the empirical evidence to suggest that "majority of Vmin users doesnt even know that exist " or how you justify ''who doesn't know what is DNSSEC he doesn't need it". Even IF most people didn't know what it was, it is naive to suggest that lack of knowledge of something means they don't need it. Someone, completely new to server administration, might not know about firewalls but they sure need them. Someone with a public facing website should do their best to make their system as secure as possible. Tools like Virtualmin, which are meant to take away a lot of the pain of server administration, should do what they can, [ fully or even partially automated ] to keep overall security scores as high as possible.

Diabolico's picture
Submitted by Diabolico on Sun, 07/10/2016 - 10:47

I might only half understand the intricacies of DNSSEC

But you think it should be automated?

The more automated and less prone to human error the process of having it can become the better.

Automated or not you still must to setup everything and check and then keep an eye if everything works. Automated usually means you saved yourself few clicks and minutes. With DNSSEC i dont see what is real gain to get it automated plus what if someone dont want this option? You want to force everyone to install it so you could save yourself literally 2 min of work? Pointless.

I'd love to know where you are getting the empirical evidence

Its called statistics and sometimes its cool to check them and see what is the current state on specific subject, in this case DNSSEC. Even big banks or payment systems dont have DNSSEC enabled, e.g. Paypal have it but 2CO doesnt and so on... If you want to use DNSSEC its just 2-3 clicks from Vmin or make it manually.

Even IF most people didn't know what it was, it is naive to suggest that lack of knowledge of something means they don't need it. Someone, completely new to server administration, might not know about firewalls but they sure need them.

If someone is so new he will never be able to properly secure his server and best option is to pay SysAdmin to do the job. People who do not understand ports and firewall usually have wrong configuration and regardless if firewall is active or not because of bad setup their security didnt move anywhere.

To not forget DNSSEC is still not implemented with mainstream browsers so without addons you are not able to check if the website is legit or not like we can do with SSL. There is still a lot of work to do behind DNSSEC and right now we are not even close to full implementation. You can make a chain but if your ISP doesnt support it or you dont have browser with DNSSEC addon you didnt do anything good.

On other hand if you are expert stop whining for option what will save you 2 min and do it over Vmin or manually. There is my post on forum how to manually enable DNSSEC, its little outdated but for experts like you it should be more than enough to catch up and enable on your server. Actually the time needed to write your post would be enough to setup DNSSEC.

Last but not least, dont forget what i said in my previous post, for people on oversold and/or old servers will be pain in the a** to make the keys and if this option is automated i'm almost 100% sure it will fail or stall any future actions in Vmin for a long time (like 2-3+ hours).

TLDR - No need to automate the service what is still not properly implemented just to save 2-3 min of your time but in the same time make a hell for people who are unlucky to be on oversold and/or old servers (hardware).

Thanks for all your thoughts guys -- we'll talk about the original poster's request, and consider all your input, regarding how to improve Virtualmin's DNSSEC support.