Investigate DANE #6

Open
opened 2025-02-05 14:16:25 +01:00 by pratyush · 1 comment
Owner
https://op-co.de/blog/posts/yax_im_dnssec/
Author
Owner

Now that the TLSA records are in place, it is not as easy to replace your server certificate as it was before, because the old one is now anchored in DNS.

You need to perform the following steps in order to ensure that all clients will be able to connect at any time:

Obtain the new certificate Create a second set of TLSA records, for the new certificate (keep the old one in place) Wait for the configured DNS time-to-live to ensure that all users have received both sets of TLSA records Replace the old certificate on the server with the new one Remove the old TLSA records If you fail to add the TLSA records and wait the DNS TTL, some clients will have cached a copy of only the old TLSA records, so they will reject your new server certificate.

^ from the article in the first comment.

One can apparently use either the certificate hash or pubkey hash

  • 256 bit certificate hash. Flags need to be set to 1 0 1

    openssl x509 -in /path/to/crt -outform DER | openssl sha256
  • 256 bit public key hash. Flags need to be set to 3 1 1

    openssl pkey -pubout -outform DER -in /path/to/key |
    sha256sum - | cut -d' ' -f1

Intending to go with the latter.

Prosody Docs

> Now that the TLSA records are in place, it is not as easy to replace your server certificate as it was before, because the old one is now anchored in DNS. > > You need to perform the following steps in order to ensure that all clients will be able to connect at any time: > > Obtain the new certificate > Create a second set of TLSA records, for the new certificate (keep the old one in place) > Wait for the configured DNS time-to-live to ensure that all users have received both sets of TLSA records > Replace the old certificate on the server with the new one > Remove the old TLSA records > If you fail to add the TLSA records and wait the DNS TTL, some clients will have cached a copy of only the old TLSA records, so they will reject your new server certificate. ^ from the article in the first comment. One can apparently use either the certificate hash or pubkey hash * 256 bit certificate hash. Flags need to be set to `1 0 1` ``` openssl x509 -in /path/to/crt -outform DER | openssl sha256 ``` * 256 bit public key hash. Flags need to be set to `3 1 1` ``` openssl pkey -pubout -outform DER -in /path/to/key | sha256sum - | cut -d' ' -f1 ``` Intending to go with the latter. [Prosody Docs](https://prosody.im/doc/dns#dane)
Sign in to join this conversation.
No description provided.