Add TLSA support

Question

Add TLSA support

BartG95 opened this issue 3 years ago · comments

Feature request: update the tlsa record of each domain after successful renewal. This can be done with a deploy-hook.

Of course, the script should wait till the tlsa record is in place, and only then delete the old tlsa record and run other deploy-hooks.

More info:
[1]: https://www.transip.nl/knowledgebase/artikel/857-een-tlsa-record-instellen/
[2]: https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Named_Entities#TLSA_RR

Roy Bongers · Answer 1 · Thu Feb 18 2021 03:24:10 GMT+0800 (China Standard Time)

I'm not very familiar with the TLSA record. Webbrowser implementation seems lacking. What are good reasons to create this record? You have to help me out a little. How would you want to see this implemented? I can imagine a config option to toggle the creation / update of the TLSA record(s). Do you have a suggestion for default values for the certificate usage,
selector and matching type? Should they be configurable or can these be fixed?

Bart Groeneveld · Answer 2 · Sat Feb 20 2021 03:10:35 GMT+0800 (China Standard Time)

I am not sure if there are good reasons, for now. Support for it is indeed mostly lacking.

But I like the idea of verifying certificates via DNS, because it would make us less dependent on CA's.

As for the configuration: I suggest to create a third script, besides the pre and the post hook script. Users who want TLSA can then optionally run this third script as a deploy hook of certbot.
I suggest to add an option in the config file with an array of TLSA records a user wants by default. I think it will be a little difficult to configure this per domain, but I also think it is not very necessary to have this per domain.

Anyway, I don't think it is important. More something for the long term.
I do not intend to make the PR myself, for now.

Jan Bouwhuis · Answer 3 · Sat Sep 04 2021 20:12:14 GMT+0800 (China Standard Time)

I'm not very familiar with the TLSA record. Webbrowser implementation seems lacking. What are good reasons to create this record? You have to help me out a little. How would you want to see this implemented? I can imagine a config option to toggle the creation / update of the TLSA record(s). Do you have a suggestion for default values for the certificate usage,
selector and matching type? Should they be configurable or can these be fixed?

A TLSA record is requited to setup an SMTP server with STARTTLS and DANE support.
See: https://www.forumstandaardisatie.nl/open-standaarden/starttls-en-dane

Roy Bongers · Answer 4 · Thu Sep 16 2021 03:49:13 GMT+0800 (China Standard Time)

I just took another look at it. It would be nice if it could be implemented. For the config file, would a list of configurations for the TLSA records be sufficient? Do I understand it correctly that, first the new domain certificate must be generated and then I can use the contents of cert.pem to generate the TLSA record? Shouldn't be too hard I think.

[
    ...,
    'tlsa' => [
        [
           'port' => 443,
           'protocol' => 'tcp',
           'domain' => 'sub.example.org',
           'usage' => 1,
           'selector' => 2,
           'matching-type' => 3,
        ],
        [
            ...
        ],
    ]
];

Jan Bouwhuis · Answer 5 · Thu Sep 16 2021 04:11:40 GMT+0800 (China Standard Time)

It depends on the type of tlsa record you choose. For type 3 1 1 the tlsa record stays the same if the private key for signing is reused. For type 3 0 1 the whole cert is used.

Bart Groeneveld · Answer 6 · Sat Nov 12 2022 22:13:30 GMT+0800 (China Standard Time)

This probably needs support in certbot itself as well, because the 'live' keys must only get updated after the TLSA records are updated.

Bart Groeneveld · Answer 7 · Sat Nov 12 2022 22:19:54 GMT+0800 (China Standard Time)

Relevant issues in certbot:

Jan Bouwhuis · Answer 8 · Sun Nov 13 2022 05:55:24 GMT+0800 (China Standard Time)

This probably needs support in certbot itself as well, because the 'live' keys must only get updated after the TLSA records are updated.

The new keys must be published before deployment, then there should be some time to allow DNS to propagate the keys first. The old key can be removed when the new cert is deployed.

Bart Groeneveld · Answer 9 · Tue Sep 05 2023 03:49:18 GMT+0800 (China Standard Time)

I just took another look at it. It would be nice if it could be implemented. For the config file, would a list of configurations for the TLSA records be sufficient? Do I understand it correctly that, first the new domain certificate must be generated and then I can use the contents of cert.pem to generate the TLSA record? Shouldn't be too hard I think.
[
    ...,
    'tlsa' => [
        [
           'port' => 443,
           'protocol' => 'tcp',
           'domain' => 'sub.example.org',
           'usage' => 1,
           'selector' => 2,
           'matching-type' => 3,
        ],
        [
            ...
        ],
    ]
];

There is no need to add much configuration, I think. The TLSA record can be pushed to _dane.example.com. Then stuff like _433._tcp.example.com can be manually added as CNAME to _dane.example.com. (This is for example what soverin.net does.)

It prevents pushing and updating an identical TLSA record for every port/protocol combination. Also, enabling it for another port/protocol is most likely a manual action anyway.

Jan Bouwhuis · Answer 10 · Tue Sep 05 2023 12:45:50 GMT+0800 (China Standard Time)

A few thoughts:

In dunne cases, where the private key is not changing the TLSA record does not change either (3 0 1) and (2 0 1).
In all other cases the old record should not be deleted immediately, but not before a retention time of let's dat 72h.
Also a new TLSA record needs to be published 24h in advance to let DNS propagation take place, because we do not want a low TTL here.

Bart Groeneveld · Answer 11 · Sat Dec 30 2023 23:07:15 GMT+0800 (China Standard Time)

I wrote a script that implements this idea. See https://codeberg.org/bartavi/asselt.