Opened 4 years ago

Last modified 3 years ago

#16896 new bug

sign zone for haiku-os.org with DNSSEC

Reported by: nephele Owned by: haiku-web
Priority: normal Milestone: Unscheduled
Component: Sys-Admin Version:
Keywords: Cc:
Blocked By: Blocking:
Platform: All

Description

Without this DKIM and DANE cant be used for the haiku mail server (for discuss and trac)

I expect that servers rejecting mail because of missing DANE and DKIM eill become more common, according to the forums some providers reject our mail already.

Change History (3)

comment:1 by kallisti5, 4 years ago

Without this DKIM and DANE cant be used for the haiku mail server (for discuss and trac)

This isn't 100% true. DKIM as configured today is more then enough for most mail servers. DNSSEC validation on top of DKIM is definitely a thing that opendkim does, but it isn't a hard requirement.

*however* we should setup dnssec in general.. so valid point on it needing to be done. I need to do some research into DANE, never really seen it implemented.

according to the forums some providers reject our mail already.

This should be solved as of a week or so ago. Somewhere along the way our DKIM public key in DNS got out of sync with out private keys on our mail relay for discuss.haiku-os.org. It was corrected.

comment:2 by nephele, 4 years ago

As far as Iam aware DKIM without DNSSEC doesn't work, since there is no trusted way the public key can de gotten.

DANE is basically either a hash of the TLS certificate or a certificate anchor in a TLSA record to verify against, this is for TLS certificate verification. Many mail servers fo not even have a ca root certs bundle as a potential alternative, so either do DANE or no validation.

my mail server ( packageloss.eu ) has DANE setup, you can use e.g https://internet.nl as a "gui" way to check what standards servers support, though it is somewhat picky. (e.g asking for SPF while it is pretty useless if one already has crytographic integrity etc.) (internet.nl also still fails to validate the existance of our DKIM Record)
For a proper test you can use drill from nlnet, but we dont have it ported as far as i know.

iirc for DANE: drill TLSA _smtp._25.packageloss.eu or maybe port and protocol is the other way atound, can't tes currently. TLSA is the record type for DANE.

Version 0, edited 4 years ago by nephele (next)

comment:3 by nephele, 3 years ago

This isn't 100% true. DKIM as configured today is more then enough for most mail servers. DNSSEC validation on top of DKIM is definitely a thing that opendkim does, but it isn't a hard requirement.

It doesn't look like haiku-os.org has DKIM set up either, is this a regression? https://internet.nl/mail/haiku-os.org/572649/

DANE should be quite easy to set up, I could probaböly do it, but I don't know how the mail server currently gets it's TLS cert.

Note: See TracTickets for help on using tickets.