OpenSourcerer 1435 Posted ... DANE (DNS-based Authentication of Named Entities) is one more attempt to replace the reliance of web browsers on Certificate Authorities. DANE leverages the downsides of security in TLS, allows to specify which CA is allowed to issue certificates for a certain resource and to certify the keys used in the domain's TLS servers by storing their fingerprints in the DNS record. For this the DNS record must be signed with DNSSEC. I request opinions and thoughts on the implementation of DANE for the AirVPN website.the consideration of implementing this feature in the future.AirVPN could be the first VPN service wordwide to offer this security feature (as far as my information is correct). Like Posteo who is the first mail provider in Germany who implemented it - and maybe worldwide. 2 User of AirVPN and Casper31 reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
OpenSourcerer 1435 Posted ... I usually don't push... but internet.nl now throws warnings if you let it test airvpn.org because DNSSEC/DANE is not supported. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
Staff 9973 Posted ... Hello! We enabled IPv6 on airvpn.org . We enabled DNSSEC on airvpn.org. Now https://en.internet.nl/domain/airvpn.org/results returns a 100% score. Unfortunately, our registrar GoDaddy does not support TLSA record required by DANE protocol. http://comments.gmane.org/gmane.ietf.dane/907 At the moment, we can't do anything, neither change GoDaddy. We will try to request this feature to GoDaddy. In the future, we will study about the option to add DNSSEC on airdns.org (DDNS domain linked to port-forwarding etc. which is on our authoritative DNS), but it seems a bit complex.the consideration of implementing this feature in the future.TLSA will be added for sure when GoDaddy supports it.I usually don't push...Please, push freely. We always read all the topics/posts, but we might forget something if we have other priorities. Pushing doesn't cost nothing. Kind regards Quote Share this post Link to post
zhang888 1066 Posted ... This can be fixed if you don't use Godaddy's free NS servers, and host the records elsewhere such as your own NS or services like Cloudflare. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
Staff 9973 Posted ... This can be fixed if you don't use Godaddy's free NS servers, and host the records elsewhere such as your own NS or services like Cloudflare. Hello, changing NS implies to become authoritative, requires stable DNS with fail-over and load-balancing, manual reconfiguration of all the domain stuff (like DNSSEC) etc. It may be done in the future, but currently DANE is unsupported by major browsers on client-side and unused by an overwhelming majority of persons even when some add-on for their browser is available.Interesting stuff, but it does not justify the work of changing NS records at the moment, we're sorry. Kind regards 1 OpenSourcerer reacted to this Quote Share this post Link to post
OpenSourcerer 1435 Posted ... I love you. Marry me. That's an order! Pushing is restricted in most forums. It's annoying to see a post at the top of the first page over and over again just because no one can help the op. Sometimes I'm a digital prophet preaching at least good pushing manners: "wait a few days while you try things on your own; if your post fails to get an answer by anyone, push by naming all things you did after your last post".. It's less spammy and increases the probability the person solved it himself or captured new valuable information which will in the end be a trigger for someone to ask more questions or come up with a creative solution. And yes, it's a pity GoDaddy doesn't support all the features. Really glad to read DNSSEC is enabled. As I said, I could kiss you. (Sent via Tapatalk 4) 1 LZ1 reacted to this Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
In*the*AIR 1 Posted ... Hi, could you turn your DNS servers into DNS recursive resolvers that have implemented DNSSEC validation? Google DNS servers 8.8.8.8 do it so that the following page http://www.dnssec-failed.org/ which has a bogus DNSSEC does not load but with yours it loads. thanks Quote Share this post Link to post
In*the*AIR 1 Posted ... and for people interested there is an extension available for Firefox https://www.dnssec-validator.cz/ 1 go558a83nk reacted to this Quote Share this post Link to post
OpenSourcerer 1435 Posted ... and for people interested there is an extension available for Firefox https://www.dnssec-validator.cz/ Yes, there is. Another DNSSEC Resolver Test points out your findings. This one also explains how to "activate" validation. Quote Hide OpenSourcerer's signature Hide all signatures NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT. LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too! Want to contact me directly? All relevant methods are on my About me page. Share this post Link to post
go558a83nk 362 Posted ... Now that airvpn.org is hosted by OVH is DANE possible? Quote Share this post Link to post
zhang888 1066 Posted ... Now that airvpn.org is hosted by OVH is DANE possible? Godaddy still doesn't support TLSA records.OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
go558a83nk 362 Posted ... Now that airvpn.org is hosted by OVH is DANE possible? Godaddy still doesn't support TLSA records.OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case. ahh.. there's a lot I don't understand about that stuff. Quote Share this post Link to post
BSoD 4 Posted ... Now that airvpn.org is hosted by OVH is DANE possible? Godaddy still doesn't support TLSA records.OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case. ahh.. there's a lot I don't understand about that stuff.When you ping airvpn.org (get IP) and then whois (check registrant data), yes you can whois IP's, you get a reference to OVH. Meaning that the server hosting the frontend/website is hosted by OVHHow ever when you whois airvpn.org you get a record to nameserver PDNS03.DOMAINCONTROL.COM, which is property of GoDaddy according to https://godaddy.com/help/upgrade-to-premium-dns-411. I hope this clears thing up Quote Hide BSoD's signature Hide all signatures Helping mankind one line of code at a time.Kind regards, Me Share this post Link to post