Mihnea-Costin Grigore

Implementing DANE for RIPE NCC Websites

Mihnea-Costin Grigore
Contributors: Ivo Dijkhuis

4 min read

0 You have liked this article 0 times.
9

In September of this year, we activated DNS-based Authentication of Named Entities (DANE) for our main web services, including www.ripe.net, the LIR Portal, RIPE Atlas and RIPE Labs.


 

Because the RIPE NCC already used DNSSEC to sign the .ripe.net zone, this was an easy extra step to take to augment the security of our websites. Our main concerns in deploying DANE were with software support and potential incompatibility, as well as the added complexity and maintenance burden on certificate rollovers that occur periodically. The implementation went well, but we'll keep an eye on developments in this field to ensure everything continues to go smoothly.

Implementation

Using the excellent " hash-slinger " tools created by Paul Wouters from RedHat, it was easy to generate the TLSA record from the website certificate:

 $ tlsa --create --output rfc --usage 3 --certificate ripe.net.crt www.ripe.net
 _443._tcp.www.ripe.net. IN TLSA 3 0 1 6aef0c821fb98e13aa74bff193e9c3841403884d482a93acbc946157bb4a805c

N.B.: You may need to change the name field of the record and/or add a time-to-live field.

We then performed the changes in our zone and re-signed it. The result can be easily tested with dig:

 $ dig +dnssec +noall +answer +multi _443._tcp.www.ripe.net. TLSA @193.0.9.6
 _443._tcp.www.ripe.net.    300 IN TLSA 3 0 1 (
                 6AEF0C821FB98E13AA74BFF193E9C3841403884D482A
                 93ACBC946157BB4A805C )
 _443._tcp.www.ripe.net.    300 IN RRSIG TLSA 5 5 300 (
                 20151212100803 20151112090803 35970 ripe.net.
                 QhQG9QMjqaWUABCupsb0dPXf6uggf/rI8IeFkapR+RqE
                 dzDVp5C65nciVqUm7E0UCBpiS8OLNVLYyRomxHBDOSCH
                 sY9KxT2Du9uSB5Z6MBAgU7I3IG5FrvSh6/JKRm9H4vmN
                 v7XZaS7VvxT6F0E1hHZtDFpKtME1fUO+EJTrnaY= )

Validation tools

In order to validate the DANE records and actually make use of their added layer of authentication, there are a number of tools we can use. From the command-line, the aforementioned tlsa command also performs verification (however, note that it does not understand the wildcard notation in the hostname):

 $ tlsa --verify www.ripe.net
 WARNING: Name on the certificate (Subject: /C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=*.ripe.net, SubjectAltName: DNS:*.ripe.net, DNS:ripe.net) doesn't match requested hostname (www.ripe.net).
 Caution: name on the cert does not match hostname
 SUCCESS (usage 3): The certificate offered by the server matches the TLSA record
 WARNING: Name on the certificate (Subject: /C=NL/ST=Noord-Holland/L=Amsterdam/O=RIPE NCC/CN=*.ripe.net, SubjectAltName: DNS:*.ripe.net, DNS:ripe.net) doesn't match requested hostname (www.ripe.net).
 Caution: name on the cert does not match hostname
 SUCCESS (usage 3): The certificate offered by the server matches the TLSA record

No browser supports DANE validation natively yet, but there is an add-on available for all major browsers: DNSSEC/TLSA Validator . During our testing the extension worked well, but it did increase browser instability when enabled (at least for Firefox). We hope that browser vendors will start supporting DANE validation by default and make it a standard feature as its use expands.

TLSA record DNSSEC/TLSA Validator in working in Firefox

Certificate rollover

In order to make sure that no validation errors would occur during certificate renewal and rollover, we have documented and applied the following system:

  1. The new SSL certificate is generated one month before the old SSL certificate expires.
  2. A new TLSA record for the new SSL certificate is added to the DNS zone file, keeping the old TLSA record as well.
  3. During the following months, either certificate will be considered valid by the browser.
  4. We perform the rollover and replace old SSL certificates.
  5. A week after the old SSL certificates have been replaced, the old TLSA records are removed from the DNS zone file.

Going forward

DANE is a new technology and many details still have to be worked out. We will keep track of developments in the field and update our set-up as improvements are implemented. Are you deploying DANE for your websites? Do you have any tips or suggestions for improvement? Please leave a comment and let us know!

0 You have liked this article 0 times.
9

You may also like

View more

About the author

Mihnea-Costin Grigore Based in Amsterdam, Netherlands

Mihnea-Costin Grigore is an IT and cybersecurity expert, with extensive experience in areas of software development, networking and project management. He previously held the role of Web Services Team Leader at the RIPE Network Coordination Centre (RIPE NCC), being responsible for the smooth running of the Web Services team, constantly improving the web presence of the RIPE NCC and providing support to the RIPE community.

Comments 9