Presentation is loading. Please wait.

Presentation is loading. Please wait.

DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute.

Published byMatthew Hoover Modified over 9 years ago

Similar presentations

Presentation on theme: "DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute."— Presentation transcript:

1 DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute

2 DNSSEC implementation in go6lab Powerdns server (used as primary for non- signed domains) as “hidden” primary DNS server OpenDNSSEC platform for signing domains BIND9 DNS servers as secondaries to OpenDNSSEC to serve signed zones Virtualization used: PROXMOX 3.4 OS templates: fedora-20, Centos6/7,

3 DNSSEC implementation in go6lab “Bump in a wire” Two public “primary” servers Concept:

4 DNSSEC in go6lab That was fairly easy and it works very well. Implementation document used from Matthijs Mekking: http://go6.si/docs/opendnssec-start-guide-draft.pdf

5 DANE experiment When DNSSEC was setup and functioning we started to experiment with DANE (DNS Authenticated Name Entities. Requirements: – DNSSEC signed domains – Postfix server with TLS support > 2.11 We decided for Postfix 3.0.1

6 DANE TLSA record for mx.go6lab.si _25._tcp.mx.go6lab.si. IN TLSA 3 0 1 B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7 CC25908DA05E2 A84748ED It’s basically a hash of TLS certificate on mx.go6lab.si More about DANE: http://www.internetsociety.org/deploy360/resources/da ne/

7 What is DANE and how does it work

8

9

10 DANE verification Mx.go6lab.si was able to verify TLS cert to T-2 mail server and nlnet-labs and some others… mx postfix/smtp[31332]: Verified TLS connection established to smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) dicht postfix/smtp[29540]: Verified TLS connection established to mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

11 Postfix config smtpd_use_tls = yes smtpd_tls_security_level = may smtpd_tls_key_file = /etc/postfix/ssl/server.pem smtpd_tls_cert_file = /etc/postfix/ssl/server.pem smtpd_tls_auth_only = no smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtp_tls_security_level = dane smtp_use_tls = yes smtp_tls_note_starttls_offer = yes smtp_tls_loglevel = 1 tls_random_exchange_name = /var/run/prng_exch tls_random_source = dev:/dev/urandom tls_smtp_use_tls = yes

12 Malformed TLSA record We created TLSA record with bad hash (one character changed) Postfix failed to verified it and refused to send a message mx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not trusted

13 1M top Alexa domains and DANE We fetched top 1 million Alexa domains and created a script that sent an email to each any of them ( test-dnssec-dane@[domain] ) After some tweaking of the script we got some good results Then we built a script that parsed maillog file and here are the results:

14 Results Out of 1 million domains, 992.232 of them has MX record and mail server. Nearly 70% (687.897) of all attempted SMTP sessions to Alexa top 1 million domains MX records were encrypted with TLS Majority of TLS connections (60%) were established with trusted certificate 1.382 of connections where remote mail server announced TLS capability failed with "Cannot start TLS: handshake failure"

15 More results TLS established connections ratios are: Anonymous: 109.753 Untrusted: 167.063 Trusted: 410.953 Verified: 128 Quick guide: Anonymous (opportunistic TLS with no signature), Untrusted (peer certificate not signed by trusted CA), Trusted (peer certificate signed by trusted CA) and Verified (verified with TLSA by DANE).

16 DANE Verified Verified: 128 !!!

17 Mail distribution - Google.com mail servers handles 125.422 domains and all of them were detected with Trusted TLS state. - Secureserver.net mail servers handles 35.759 domains, some of them with Trusted TLS, some of them with no TLS at all - qq.com mail servers handles 11.254 domains and has no TLS at all - yandex.ru mail servers handles 9.268 domains and has Trusted TLS - ovh.net mail servers handles 8.531 domains with majority of them establishing Trusted TLS, just their redirect server having no TLS at all (redirect.ovh.net)

18 Mail distribution - emailsrvr.com mail servers handles 8.262 domains and has Trusted TLS - zohomail.com mail servers handles 2.981 domains and has Trusted TLS - lolipop.jp mail servers handles 1.685 domains and has no TLS at all - kundenserver.de mail servers handles 2.834 domains and has Trusted TLS - gandi.net mail servers handles 2.200 domains and has Anonymous TLS

19 DNSSEC? DANE? None of this “big” mail servers (and their domains) are DNSSEC signed (that means no DANE for them possible.

20 We extracted.si domains from that top1m from Alexa and added some dnssigned and some other “usual suspects” …and here are results! SLO email servers test

21 All contacted mail servers analysis: All mail servers: 397 Anonymous TLS servers: 95 (no peer certificate, no verification, just anonymous encryption) Untrusted TLS servers: 104 (peer certificate not signed by trusted CA) Trusted TLS servers: 103 (peer certificate signed by trusted CA, unverified peer name) Verified (DANE) TLS servers: 9 (peer certificate signed by trusted CA and verified peer name (DANE)) NO TLS servers: 90 (no TLS encryption at all, not even as an option)

22 All SMTP sessions analysis: Number of all established SMTP sessions: 554 Number of all succesful TLS sessions: 504 Number of all failed TLS sessions: 6 Number of sessions with NO TLS at all: 44 Number of IPv6 SMTP sessions: 53 Number of IPv4 SMTP sessions: 501

23 All domains checked analysis: All domains checked: 610 NON DNSSEC signed domains: 575 DNSSEC signed domains: 35 Domains with no MX record: 56

24 DANE enabled mail servers: - edo.kr-neki.si - mail.go6lab.si - mx1.t-2.net - mx2.t-2.net - mx.go6lab.si - protector.rajmax.si - renato.ni-re.net - smtp-bad-in-1.t-2.net - smtp-good-in-2.t-2.si

25 Mail servers with NO TLS capability The list is too long and I would not like to do publica shaming here… …but the list can be found here: http://bgp.go6.si/email-research/results.txt

26 Conclusions 70% of email can be encrypted in some way, you just need to enable TLS on your server Low number of DNSSEC signed domains/servers Even lower number of DANE/TLSA verified servers/connections It’s easy, go and do it – it’s not the end of the world and it helps with verifying who are you sending emails to – and vice versa ;)

27 Q&A Questions? Protests? Suggestions? Complaints? http://bgp.go6.si/email-research/results.txt

Download ppt "DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute."

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.

The Inconvenient Truth about Web Certificates Jean-Pierre Hubaux Joint work with N. Vratonjic, J. Freudiger and V. Bindschaedler Work presented at WEIS.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Chapter 8 Web Security.

Chapter 8 Web Security.
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.

The Inconvenient Truth about Web Certificates Nevena Vratonjic Julien Freudiger Vincent Bindschaedler Jean-Pierre Hubaux June 2011, WEIS’11.

Similar presentations

Ads by Google