Opened 3 years ago
Last modified 3 years ago
#16896 new bug
sign zone for haiku-os.org with DNSSEC
| Reported by: | nephele | Owned by: | haiku-web |
|---|---|---|---|
| Priority: | normal | Milestone: | Unscheduled |
| Component: | Sys-Admin | Version: | |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
Without this DKIM and DANE cant be used for the haiku mail server (for discuss and trac)
I expect that servers rejecting mail because of missing DANE and DKIM eill become more common, according to the forums some providers reject our mail already.
Change History (3)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
As far as I am aware DKIM without DNSSEC doesn't work, since there is no trusted way the public key can de gotten.
DANE is basically either a hash of the TLS certificate or a certificate anchor in a TLSA record to verify against, this is for TLS certificate verification. Many mail servers fo not even have a ca root certs bundle as a potential alternative, so either do DANE or no validation.
my mail server ( packageloss.eu ) has DANE setup, you can use e.g https://internet.nl as a "gui" way to check what standards servers support, though it is somewhat picky. (e.g asking for SPF while it is pretty useless if one already has crytographic integrity etc.) (internet.nl also still fails to validate the existance of our DKIM Record)
For a proper test you can use drill from nlnet, but we dont have it ported as far as i know.
iirc for DANE: drill TLSA _smtp._25.packageloss.eu or maybe port and protocol is the other way atound, can't tes currently. TLSA is the record type for DANE.
comment:3 by , 3 years ago
This isn't 100% true. DKIM as configured today is more then enough for most mail servers. DNSSEC validation on top of DKIM is definitely a thing that opendkim does, but it isn't a hard requirement.
It doesn't look like haiku-os.org has DKIM set up either, is this a regression? https://internet.nl/mail/haiku-os.org/572649/
DANE should be quite easy to set up, I could probaböly do it, but I don't know how the mail server currently gets it's TLS cert.
This isn't 100% true. DKIM as configured today is more then enough for most mail servers. DNSSEC validation on top of DKIM is definitely a thing that opendkim does, but it isn't a hard requirement.
*however* we should setup dnssec in general.. so valid point on it needing to be done. I need to do some research into DANE, never really seen it implemented.
This should be solved as of a week or so ago. Somewhere along the way our DKIM public key in DNS got out of sync with out private keys on our mail relay for discuss.haiku-os.org. It was corrected.