Request for implementing DANE on AirVPN website

[OpenSourcerer 1467]

DANE (DNS-based Authentication of Named Entities) is one more attempt to replace the reliance of web browsers on Certificate Authorities. DANE leverages the downsides of security in TLS, allows to specify which CA is allowed to issue certificates for a certain resource and to certify the keys used in the domain's TLS servers by storing their fingerprints in the DNS record. For this the DNS record must be signed with DNSSEC.

 

I request

• opinions and thoughts on the implementation of DANE for the AirVPN website.
• the consideration of implementing this feature in the future.

AirVPN could be the first VPN service wordwide to offer this security feature (as far as my information is correct). Like Posteo who is the first mail provider in Germany who implemented it - and maybe worldwide.

[OpenSourcerer 1467]

I usually don't push... but internet.nl now throws warnings if you let it test airvpn.org because DNSSEC/DANE is not supported.

[Staff 10118]

Hello!

 

We enabled IPv6 on airvpn.org .

We enabled DNSSEC on airvpn.org.

 

Now https://en.internet.nl/domain/airvpn.org/results returns a 100% score.

 

Unfortunately, our registrar GoDaddy does not support TLSA record required by DANE protocol.

http://comments.gmane.org/gmane.ietf.dane/907

At the moment, we can't do anything, neither change GoDaddy.

We will try to request this feature to GoDaddy.

 

In the future, we will study about the option to add DNSSEC on airdns.org (DDNS domain linked to port-forwarding etc. which is on our authoritative DNS), but it seems a bit complex.

  On 5/16/2014 at 2:47 PM, giganerd said:

the consideration of implementing this feature in the future.

TLSA will be added for sure when GoDaddy supports it.

  On 4/21/2015 at 7:14 PM, giganerd said:

I usually don't push...

Please, push freely.

We always read all the topics/posts, but we might forget something if we have other priorities. Pushing doesn't cost nothing.

 

Kind regards

[zhang888 1067]

This can be fixed if you don't use Godaddy's free NS servers, and host the records elsewhere such as your own NS or services like Cloudflare.

[Staff 10118]

  On 4/22/2015 at 10:57 PM, zhang888 said:

This can be fixed if you don't use Godaddy's free NS servers, and host the records elsewhere such as your own NS or services like Cloudflare.

 

Hello,

 

changing NS implies to become authoritative, requires stable DNS with fail-over and load-balancing, manual reconfiguration of all the domain stuff (like DNSSEC) etc. It may be done in the future, but currently DANE is unsupported by major browsers on client-side and unused by an overwhelming majority of persons even when some add-on for their browser is available.

Interesting stuff, but it does not justify the work of changing NS records at the moment, we're sorry.

 

Kind regards

[OpenSourcerer 1467]

I love you. Marry me. That's an order!

 

Pushing is restricted in most forums. It's annoying to see a post at the top of the first page over and over again just because no one can help the op. Sometimes I'm a digital prophet preaching at least good pushing manners: "wait a few days while you try things on your own; if your post fails to get an answer by anyone, push by naming all things you did after your last post".. It's less spammy and increases the probability the person solved it himself or captured new valuable information which will in the end be a trigger for someone to ask more questions or come up with a creative solution.

 

And yes, it's a pity GoDaddy doesn't support all the features. Really glad to read DNSSEC is enabled. As I said, I could kiss you.

 

(Sent via Tapatalk 4)

[In*the*AIR 1]

Hi,

 

could you turn your DNS servers into DNS recursive resolvers that have implemented DNSSEC validation?

 

Google DNS servers 8.8.8.8 do it so that the following page http://www.dnssec-failed.org/ which has a bogus DNSSEC does not load but with yours it loads.

 

thanks

 

 

 

[In*the*AIR 1]

and for people interested there is an extension available for Firefox https://www.dnssec-validator.cz/

[OpenSourcerer 1467]

  On 4/23/2015 at 10:53 AM, In*the*AIR said:

and for people interested there is an extension available for Firefox https://www.dnssec-validator.cz/

 

Yes, there is.

 

Another DNSSEC Resolver Test points out your findings. This one also explains how to "activate" validation.

[go558a83nk 371]

Now that airvpn.org is hosted by OVH is DANE possible?

[zhang888 1067]

  On 6/4/2016 at 7:28 PM, go558a83nk said:

Now that airvpn.org is hosted by OVH is DANE possible?

 

Godaddy still doesn't support TLSA records.

OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case.

[go558a83nk 371]

  On 6/4/2016 at 7:37 PM, zhang888 said:

 

  On 6/4/2016 at 7:28 PM, go558a83nk said:

Now that airvpn.org is hosted by OVH is DANE possible?

 

Godaddy still doesn't support TLSA records.

OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case.

 

ahh.. there's a lot I don't understand about that stuff.

[BSoD 4]

  On 6/4/2016 at 7:47 PM, go558a83nk said:

 

  On 6/4/2016 at 7:37 PM, zhang888 said:

 

  On 6/4/2016 at 7:28 PM, go558a83nk said:

Now that airvpn.org is hosted by OVH is DANE possible?

 

Godaddy still doesn't support TLSA records.

OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case.

 

ahh.. there's a lot I don't understand about that stuff.

When you ping airvpn.org (get IP) and then whois  (check registrant data), yes you can whois IP's,  you get a reference to OVH. Meaning that the server hosting the frontend/website is hosted by OVH

How ever when you whois airvpn.org you get a record to nameserver PDNS03.DOMAINCONTROL.COM, which is property of GoDaddy according to https://godaddy.com/help/upgrade-to-premium-dns-411.

 

I hope this clears thing up