Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
create (or output) DANE records #230
This seems to be straightfoward to do, but is also a pretty serious DoS possibility when combined with autorenewal (because the autorenewer doesn't have the ability to deploy new DANE records, the responsible party in the future might not know what DANE is even if the previous person who got the cert issued did, and the autorenewal might end up happening in a fully automated fashion without attracting human notice or intervention).
So I'm afraid that if we implement this feature, a lot of sites that use it feature will break upon renewal.
The renewal agent could probably detect whether there is a DANE record, and could also create new updated DANE records, but it doesn't clearly have a way of knowing whether there's a human being in the loop who will actually go out and deploy them!
Here are some ideas:
Maybe just have an option to call a script or generic API/protocol (which people can write a proxy for to their own solution) ?
How about starting that process 2 weeks before renewal to make it less interactive:
Then you you have 2 weeks to complain (automated email ?) that the DANE record isn't updated yet.
Or even better look at the DNS TTL to know how far in advance it needs to be updated.
An other option is:
DANE has the option to add the CA to DNS instead of the certificate:
Maybe it would be a good idea to integrate well with that instead.
You can even just use the top root CA-certifcate, it doesn't have to be a sub-CA.
You could also start off with on the first deployment: just having the code to check DNS to see if it's DNSSEC signed and if DANE is used. Then fail to do the next steps before the operator has updated the DNS-record.
Certbot now has plugins to automatically install DNS records for challenges. Updated TLSA records could be installed in the same way.
Support for generating TLSA records would also require a two-phase install process: (1) get a new certificate and generate new (candidate) TLSA records, (2) after the TLSA records have been up for at least 2 to 3 times their TTL, install the new certificate.
Why such complications? I use Letsencrypt and DANE for SMTP. certbot has option to retain old secret key like this:
All you have to do is to pin only key part in DANE (not entire X509 cert). Renewed certs will have same pubkey and will match DANE record too.
Disclaimer: I see no point in frequent key regeneration and short living certs. I don't see why pubkey signed 5 minutes ago (probably because of IP address hijack via BGP) is more trustworthy than pubkey established and known for long term.
It's a lot easier to do DANE now that
But, if you still want to occasionally regenerate your keys, maybe once a year or so, you have to go in manually and roll over your Certbot key by running it once without
Right now, it's best to publish TA records with Let's Encrypt's current cert (& backup cert) as backups and manually do the EE record rollover occasionally. I'm working on a blog post to make this process clearer!
In the meantime, some avenues of exploration for even better DANE support: