cryptdomainmgr - automating cert, tlsa, dkim and many more · basics ssl certifcate tlsa caa dnssec...
TRANSCRIPT
EH19
cryptdomainmgrautomating Cert, TLSA, DKIM and many more
Stefan Helmert
https://www.entroserv.de/de/offene-software/cryptdomainmgr
20.04.2019
EH19
Content
Motivationfinenot so fine
BasicsSSL CertifcateTLSACAADNSSECDANE – all stepsMXSPFDKIMadditional DNS recordsDKIM – overview
Cryptdomainmgr
dataflowautorenew processstructure
Usageupdate cycleDNS credentialCertificatesDKIMDomain
Implementationcryptdomainmgrmodulessimpleloggerplusdnsuptools
Discussion
EH19
Motivation
→ let’s make a web app ←I DNS
I Webpage
I E-Mail
I Mailinglist
I and the s for security
EH19
DeMotivation→ let’s make a web app ←
I DNSI SOAI DNSSEC
I WebpageI HTTPSI CertificateI HSTSI SRVI TLSA
I E-MailI SpamI DKIMI SPFI ADSPI DMARCI SRV
I MailinglistI SRSI ARC
EH19
DeMotivationfine
EH19
DeMotivationnot so fine
EH19
BasicsSSL Certifcate
XY
I authentication (phishing)
I integrity (man in the middle)
I privacy (spy)
→ certbot renew
EH19
BasicsTLSA
DANE – DNS-based Authentication of Named Entities
TLSA – Transport Layer Security Authentication
I locks certificate to domain/DNS (fraudulent CA, stolen cert)
→ to do
EH19
BasicsCAA
www.example
CAA Let‘s Encryptonly
CAA – Certification Authority Authorization
I specifies allowed CA
I checked by CA
EH19
BasicsDNSSEC
DNSSEC
Domain Name System Security Extensions
I authenticate domain owner
I integrity (DNS cache poisoning)
I proof of nonexistence
→ done by domain provider
EH19
BasicsDANE – all steps
DNSCALet‘s Encrypt
CAALet‘s Encrypt
CAA == “Let‘s Encrypt“ ?
WebServer
newCert
TLSA-recgen
TLSAWebpage(HTTPS)
Client
DNSSECTLSA == Cert DNSSEC OK?
Server
EH19
BasicsMX
Mail eXchange
I abstraction: email domain, email server domain
I multiple email servers
EH19
BasicsSPF
MX backwards
I faked sender?
EH19
BasicsSPF
SPF – Sender Policy Framework
I MX alled to send
I no one else allowed
EH19
BasicsDKIM
DomainKeys Identified Mail
I authenticate MTA (fake/spam server)
I integrity (man in the middle)
→ to do
EH19
Basicsadditional DNS records
SPF – Sender Policy Framework
I which server is allowed to send email
ADSP – Author Domain Signing Practices
I defines, if email must be DKIM signed
DMARC – Domain-based Message Authentication,Reporting and Conformance
I successor of SPF and ADSP
I overrides SPF and ADSP
I additional parameters: report email
SRV – Service
I announces services
EH19
BasicsDKIM – overview
DNS
DKIM
MailServer
MTAPostfix
MailClient
MUAThunderbird
Signerrspamd
key
MailServerCheckerrspamd
MDADovecot
MailClient
MUAThunderbird
signature == key ?
DMARC
activates
MTAPostfix
EH19
Cryptdomainmgrdataflow
Infrastructure as Code!
DNS-Server Web-/Mailserver CA
Cryptdomainmgr
Configuration
Certifi
cate
Cert, DKIMUpdate Records
EH19
Cryptdomainmgrautorenew process
I prepareI generate certificateI calculate TLSA from certificateI add TLSA RRI generate key pair for DKIMI calculate DKIMI add DKIM RR
I rolloverI use new certificateI use new DKIM key
I cleanupI remove old TLSA RRI remove old DKIM RRI delete old certificatesI delete old DKIM keys
EH19
Cryptdomainmgrstructure
cryptdomainmgr
main .py
init .py
modules
...
cdmcore.py
cdmstatehandler.py
cdmconfighandler.py
EH19
Cryptdomainmgrstructure
cryptdomainmgr
...
modules
common
cdm
cert
dkim
domain
service
dhparam
EH19
Cryptdomainmgrstructure
cryptdomainmgr
...
modules
...
domain
init .py
main.py
confighandler.py
handlerdnsuptools.py
EH19
Usage
www.entroserv.de/de/offene-software/cryptdomainmgr
EH19
Usageupdate cycle
update – set static entries: a, aaaa, srv, dmarc, spf, adsp
$ python -m cryptdomainmgr --update cred.cnf exmpl.cnf
prepare, rollover, cleanup cycle – renew cryptographicmaterial: certificate, TLSA, DKIM
$ python -m cryptdomainmgr cred.cnf exmpl.cnf
explicit cycle
$ python -m cryptdomainmgr --prepare cred.cnf exmpl.cnf
$ python -m cryptdomainmgr --rollover cred.cnf exmpl.cnf
$ python -m cryptdomainmgr --cleanup cred.cnf exmpl.cnf
EH19
UsageDNS credential
$ cat cred.cnf
[domain]
user = myusername
passwd = mypassword
EH19
UsageCertificates
$ cat exmpl.cnf
[cert]
handler = dehydrated
email = [email protected]
keysize = 4096
[cert:maincert]
destination = /etc/ssl
extraflags = --staging, -x
certname = fullchain.pem
I multiple domains using maincert → SAN certificate
EH19
UsageDKIM
$ cat exmpl.cnf
[dkim]
handler = rspamd
[dkim:maindkim]
signingConfTemplateFile
= /etc/cryptdomainmgr/dkim_signing_template.conf
signingConfDestinationFile
= /etc/rspamd/local.d/dkim_signing.conf
EH19
UsageDomain
$ cat exmpl.cnf
[domain]
user = myusername
handler = dnsuptools/inwx
[domain:domain.example]
soa.hostmaster = [email protected]
soa.refresh = 7200
[domain:sub.domain.example]
ip4 = auto, 192.168.0.1
ip6+ = auto, 0ffc::0030
mx = mail20.domain.example:20, mail30.domain.example:30
mx.40 = mail40.domain.example, mail50.domain.example:50
mx.10+= mail10.domain.example
EH19
UsageDomain
set A record
$ cat exmpl.cnf
[domain:sub.domain.example]
ip4 = auto, 192.168.0.1
means:
I add external ip and 192.168.0.1 to sub.domain.example
I delete all other A records of sub.domain.example
EH19
UsageDomain
add A record
$ cat exmpl.cnf
[domain:sub.domain.example]
ip4+ = auto, 192.168.0.1
means:
I add external ip and 192.168.0.1 to sub.domain.example
I delete all other A records of sub.domain.example
EH19
UsageDomain
set MX record
$ cat exmpl.cnf
[domain:sub.domain.example]
mx = mail20.domain.example:20, mail30.domain.example:30
means:I add MX records
I mail20.domain.example with prio 20I mail30.domain.example with prio 30
I delete all other MX records from sub.domain.example
EH19
UsageDomain
set MX record
$ cat exmpl.cnf
[domain:sub.domain.example]
mx.40 = mail40.domain.example, mail50.domain.example:50
means:I add MX records
I mail40.domain.example with prio 40I mail50.domain.example with prio 50
I delete all other MX records with prio 40 fromsub.domain.example
EH19
UsageDomain
set SRV record
$ cat exmpl.cnf
[domain:sub.domain.example]
srv.service.proto.port.weight.prio
= sub.domain.example:PRIO:WEIGHT:PORT:PROTO:SERVICE
EH19
UsageDomain
set DMARC entries
$ cat exmpl.cnf
[domain:sub.domain.example]
dmarc.p = quarantine
dmarc.rua = mailto:[email protected]
dmarc.ruf = mailto:[email protected]
I changes the entries p, rua, ruf of the DMARC record
I entries adkim, aspf, pct do not change
I”atomic“ operation
I only one DMARC record allowed!
EH19
UsageDomain
set DMARC record
$ cat exmpl.cnf
[domain:sub.domain.example]
dmarc =
dmarc.p = quarantine
dmarc.rua = mailto:[email protected]
dmarc.ruf = mailto:[email protected]
I changes the entries p, rua, ruf of the DMARC record
I remove all other entries of this record
I atomic operation
I at most one DMARC record allowed!
EH19
UsageDomain
set SOA entries
$ cat exmpl.cnf
[domain:domain.example]
soa.hostmaster = [email protected]
soa.refresh = 7200
I changes the entries hostmaster, refresh of the SOA record
I primns, serial, retry, expire, ncttl not changed
I atomic operation
I exact one SOA record in top level allowed!
EH19
UsageDomain
set SPF flags
$ cat exmpl.cnf
[domain:domain.example]
spf = -mx, a, ?all, +aaaa
I add given flags to SPF record
I remove all other flags from SPF record
I atomic operation
I at most one SPF record is allowed!
EH19
UsageDomain
set ADSP and CAA records
$ cat exmpl.cnf
[domain:domain.example]
adsp = all
caa = 0 issue letsdecrypt.org,
128 issuewild examplecert.example
I atomic update ADSP record
I add the CAA records
I remove all other CAA records
configured by cert handler:
[domain:domain.example]
caa = auto
EH19
UsageDomain
combine stuff – TLSA and DKIM
$ cat exmpl.cnf
[domain:sub.domain.example]
tlsa.tcp.443 = auto:3:0:1, auto:2:0:1
cert = maincert
dkim = maindkim
prepare cycle
I add TLSA and DKIM records
rollover cycle
I no DNS changes
I apply certificates and keys on server
cleanup cycle
I add TLSA and DKIM records (again)
I remove all other TLSA and DKIM records
EH19
Implementationcryptdomainmgr
main .py command line interface
cdmcore.py core, brings everything together
cdmconfighandler.py reads/interpretes config (ini) files
cdmstatehandler.py manages dependencies, data transport, nextrun phase
modules/ plugins handling/interfacing dns update, certificaterenewal, dkim renewal, service reload
external packages:
simpleloggerplus logging abstraction, password → *****
dnsuptools domrobot interface abstraction, TLSA, DKIMcalculation
EH19
Implementationcryptdomainmgr
Reactive: Domain update depends on TLSA record calculatedbased on new certificate.
Certificate Update
Update Domain Update Domain
modules/cert
modules/domain
TL
SA
EH19
Implementationmodules
modules/cert/main.py interface to handler, some helpers
modules/cert/handlerdehydrated.py interface todehydrated tocreate certificate
modules/cert/confighandler.py interpretes corrspondig parts of theconfig file
external package:
dehydrated handles acme api for letsencrypt
EH19
Implementationsimpleloggerplus
simpleloggerplus.py core, produces output
deepops.py deep dict/list operations, password → *****
EH19
Implementationdnsuptools
dnsuptools.py core, high level, record change & query methods
dnsupdate.py interface to wrapper, low level
inwxwrapper.py interface to internetworx api, lowest level
dkimrecgen.py reads/interpretes dkim key file
tlsarecgen.py reads/interpretes certificate file
dnshelpers.py one helper function
external packages:
simpleloggerplus see simpleloggerplus 3
inwxclient domrobot client
EH19
Discussion
???