dfn.de with DNSSEC and DFN-MailSupport published TLSA RR (was: Pilot phase for DNSSEC/DANE for DFN with dfnsec.de in August 2020)

Paul Menzel pmenzel+dane-users at molgen.mpg.de
Fri Sep 25 00:41:29 CEST 2020 

Dear DANE users,


Am 01.07.20 um 13:16 schrieb Paul Menzel:

> Am 01.07.20 um 08:27 schrieb Viktor Dukhovni:
>>> On Jul 1, 2020, at 4:01 AM, Paul Menzel wrote:
>>>
>>> I like to inform you, after several years of waiting, the Deutsche
>>> Forschungsnetz will finally offer a solution for using their mail
>>> support with DNSSEC/DANE [1]. For whatever reason, they do not want
>>> to fiddle/test with dfn.de, and, therefore, are going to introduce
>>> the new domain dfnsec.de first.
>>>
>>> The pilot phase is going to be from August 3rd to 31st, and they
>>> are introducing faulty entries on Tuesday and Thursday from 10:00
>>> to 14:00.
>>
>> I take this to mean that dfn.de is planning to have DNSSEC signed MX
>> hosts with TLSA RRs under a new dfnsec.de domain.  That's good news,
>> thanks!
> 
> Yes, it is meant as opt-in.

Good news. The pilot was successful, and after over four years, the DFN 
finally delivered.

Luckily, it looks like they were able to remove the internal doubts, and 
set up DNSSEC for dfn.de directory now and published the TLSA resource 
records [2].

>> In terms of candidate DNSSEC-signed domains currently using dfn.de MX
>> hosts, that could/should consider switching to dfnsec.de, I currently
>> find the following 33 in the DNSSEC/DANE survey dataset:
> 
> […]

All the 33 domains are supported DANE now automatically. Yeah!

> A lot of the subdomains of mpg.de use the DFN-MailSupport separately, 
> and from those, to my knowledge, only us – molgen.mpg.de – have set up 
> DNSSEC. (The other few DNSSEC users do *not* use the DFN-MailSupport – 
> for example mpifr-bonn.mpg.de.)

As written, unfortunately, not all subdomains of mpg.de have DNSSEC set up.

My institute molgen.mpg.de and cpfs.mpg.de from Dresden do use DNSSEC, 
and therefore have DANE working now.

[…]


Kind regards,

Paul


[2]: https://www.mailsupport.dfn.de/news/aktivierung-der-tlsa-records


PS: Example:

>     $ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary -l dane-only -P /etc/ssl/certs/ molgen.mpg.de
>     posttls-finger: initializing the client-side TLS engine
>     posttls-finger: using DANE RR: _25._tcp.a1241.mx.srv.dfn.de IN TLSA 3 0 1 27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
>     posttls-finger: setting up TLS connection to a1241.mx.srv.dfn.de[194.95.232.62]:25
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@strength:!aNULL"
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=3 verify=1 subject=/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=2 verify=1 subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=1 verify=1 subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=Geschaeftsstelle/CN=*.mx.srv.dfn.de
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: depth=0 matched end entity certificate sha256 digest 27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
>     posttls-finger: a1241.mx.srv.dfn.de[194.95.232.62]:25: subject_CN=*.mx.srv.dfn.de, issuer_CN=DFN-Verein Global Issuing CA, fingerprint=25:2C:32:73:0D:01:13:53:F5:59:1D:1E:CA:E4:DA:8B:E0:94:75:56, pkey_fingerprint=D5:6E:6C:41:CC:28:0F:66:71:8C:76:D1:F1:5B:F9:7C:EB:13:8A:AB
>     posttls-finger: Verified TLS connection established to a1241.mx.srv.dfn.de[194.95.232.62]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA256
> 
>     $ /usr/sbin/posttls-finger -t30 -T180 -c -L verbose,summary -l dane-only -P /etc/ssl/certs/ vw.molgen.mpg.de
>     posttls-finger: initializing the client-side TLS engine
>     posttls-finger: using DANE RR: _25._tcp.b1234.mx.srv.dfn.de IN TLSA 3 0 1 27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
>     posttls-finger: setting up TLS connection to b1234.mx.srv.dfn.de[194.95.234.102]:25
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@strength:!aNULL"
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=3 verify=1 subject=/C=DE/O=T-Systems Enterprise Services GmbH/OU=T-Systems Trust Center/CN=T-TeleSec GlobalRoot Class 2
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=2 verify=1 subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Certification Authority 2
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=1 verify=1 subject=/C=DE/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=DFN-PKI/CN=DFN-Verein Global Issuing CA
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=0 verify=1 subject=/C=DE/ST=Berlin/L=Berlin/O=Verein zur Foerderung eines Deutschen Forschungsnetzes e. V./OU=Geschaeftsstelle/CN=*.mx.srv.dfn.de
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: depth=0 matched end entity certificate sha256 digest 27:0E:C9:DD:08:18:AB:C8:1C:96:68:3F:11:16:D8:A5:EA:66:66:D3:64:29:FD:5D:83:D6:11:F6:87:26:C9:3A
>     posttls-finger: b1234.mx.srv.dfn.de[194.95.234.102]:25: subject_CN=*.mx.srv.dfn.de, issuer_CN=DFN-Verein Global Issuing CA, fingerprint=25:2C:32:73:0D:01:13:53:F5:59:1D:1E:CA:E4:DA:8B:E0:94:75:56, pkey_fingerprint=D5:6E:6C:41:CC:28:0F:66:71:8C:76:D1:F1:5B:F9:7C:EB:13:8A:AB
>     posttls-finger: Verified TLS connection established to b1234.mx.srv.dfn.de[194.95.234.102]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest SHA2560<Up>

More information about the dane-users mailing list