Jump to content
Not connected, Your IP: 18.221.27.56
OpenSourcerer

Request for implementing DANE on AirVPN website

Recommended Posts

DANE (DNS-based Authentication of Named Entities) is one more attempt to replace the reliance of web browsers on Certificate Authorities. DANE leverages the downsides of security in TLS, allows to specify which CA is allowed to issue certificates for a certain resource and to certify the keys used in the domain's TLS servers by storing their fingerprints in the DNS record. For this the DNS record must be signed with DNSSEC.

 

I request

  • opinions and thoughts on the implementation of DANE for the AirVPN website.
  • the consideration of implementing this feature in the future.

AirVPN could be the first VPN service wordwide to offer this security feature (as far as my information is correct). Like Posteo who is the first mail provider in Germany who implemented it - and maybe worldwide.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

I usually don't push... but internet.nl now throws warnings if you let it test airvpn.org because DNSSEC/DANE is not supported.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello!

 

We enabled IPv6 on airvpn.org .

We enabled DNSSEC on airvpn.org.

 

Now https://en.internet.nl/domain/airvpn.org/results returns a 100% score.

 

Unfortunately, our registrar GoDaddy does not support TLSA record required by DANE protocol.

http://comments.gmane.org/gmane.ietf.dane/907

At the moment, we can't do anything, neither change GoDaddy.

We will try to request this feature to GoDaddy.

 

In the future, we will study about the option to add DNSSEC on airdns.org (DDNS domain linked to port-forwarding etc. which is on our authoritative DNS), but it seems a bit complex.

the consideration of implementing this feature in the future.

TLSA will be added for sure when GoDaddy supports it.

I usually don't push...

Please, push freely.

We always read all the topics/posts, but we might forget something if we have other priorities. Pushing doesn't cost nothing.

 

Kind regards

Share this post


Link to post

This can be fixed if you don't use Godaddy's free NS servers, and host the records elsewhere such as your own NS or services like Cloudflare.

 

Hello,

 

changing NS implies to become authoritative, requires stable DNS with fail-over and load-balancing, manual reconfiguration of all the domain stuff (like DNSSEC) etc. It may be done in the future, but currently DANE is unsupported by major browsers on client-side and unused by an overwhelming majority of persons even when some add-on for their browser is available.

Interesting stuff, but it does not justify the work of changing NS records at the moment, we're sorry.

 

Kind regards

Share this post


Link to post

I love you. Marry me. That's an order!

 

Pushing is restricted in most forums. It's annoying to see a post at the top of the first page over and over again just because no one can help the op. Sometimes I'm a digital prophet preaching at least good pushing manners: "wait a few days while you try things on your own; if your post fails to get an answer by anyone, push by naming all things you did after your last post".. It's less spammy and increases the probability the person solved it himself or captured new valuable information which will in the end be a trigger for someone to ask more questions or come up with a creative solution.

 

And yes, it's a pity GoDaddy doesn't support all the features. Really glad to read DNSSEC is enabled. As I said, I could kiss you.

 

(Sent via Tapatalk 4)


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hi,

 

could you turn your DNS servers into DNS recursive resolvers that have implemented DNSSEC validation?

 

Google DNS servers 8.8.8.8 do it so that the following page http://www.dnssec-failed.org/ which has a bogus DNSSEC does not load but with yours it loads.

 

thanks

 

 

 

Share this post


Link to post

and for people interested there is an extension available for Firefox https://www.dnssec-validator.cz/

 

Yes, there is.

 

Another DNSSEC Resolver Test points out your findings. This one also explains how to "activate" validation.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

 

Now that airvpn.org is hosted by OVH is DANE possible?

 

Godaddy still doesn't support TLSA records.

OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case.

 

ahh.. there's a lot I don't understand about that stuff.

Share this post


Link to post

 

 

Now that airvpn.org is hosted by OVH is DANE possible?

 

Godaddy still doesn't support TLSA records.

OVH is just a frontend of the web server, the records are set at the DNS level, of the registrar in this case.

 

ahh.. there's a lot I don't understand about that stuff.

When you ping airvpn.org (get IP) and then whois  (check registrant data), yes you can whois IP's,  you get a reference to OVH. Meaning that the server hosting the frontend/website is hosted by OVH

How ever when you whois airvpn.org you get a record to nameserver PDNS03.DOMAINCONTROL.COM, which is property of GoDaddy according to https://godaddy.com/help/upgrade-to-premium-dns-411.

 

I hope this clears thing up


Helping mankind one line of code at a time.

Kind regards, Me

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...