#3950 [RFE] Add support for TLSA records in FreeIPA
Closed: Duplicate None Opened 10 years ago by erinn.

Ok well here is my vision for this:

I believe you folks are building a web and cli based interface via IPA into dogtag. This would tie into that and have something like a check box to publish the certificate hash in DNS. Again this is much like SSHFP records.

I don't believe you would want all certificates published via TLSA so it should probably be optional. As well, the certificates would have to have a "purpose" by which I mean a way of differentiating between one for a web server and one for say SMTP. This may tie in with the X509 constraints but I am not sure on that front.

A TLSA record looks much like a SRV record, to wit: _443._tcp.www.abaqis.com. IN TLSA 3 0 1 23ceabbd33f8458738de1dcec5662c97f4edb5b6251b498274e2351e7f695a04

So clearly with the port numbers etc included in there, there would need to be a way to mark a certificate as a web certificate etc.

The certificate hashes would also of course need to be updated as the certificates are renewed. This may require a tie in to certmonger, though I suspect not.

This would be a "very good thing" as TLSA will eventually allow us to circumvent the extremely broken trust model we have with current CAs and FreeIPA looks like a wonderful candidate place to automate exactly this.

Requirements

TLSA is not very useful without DNSSEC, which you folks are currently implementing.
BIND >= 9.7.6 though earlier versions can use TLSA records this was the version that implemented native handling.

Use cases

Honestly at this point there are not a whole lot of programs that can utilize TLSA. The only notable exception that I know of is postfix, which will use TLSA natively if configured to do so (thus alleviating the cottage industry of self signed certificates for smtp server).

== Documentation==
http://www.postfix.org/TLS_README.html#client_tls_dane

There is also a plugin for firefox that will validate TLSA:
https://os3sec.org/

A nice primer on TLSA:
http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec

A program for creating hashes:
http://people.redhat.com/pwouters/hash-slinger/

And a bit of an article on its use:
http://www.internetsociety.org/deploy360/blog/2012/11/hash-slinger-helps-you-easily-create-tlsa-records-for-dnssec-dane/


Thank you for the RFE!

As the first step, I think we would expose TLSA DNS record type when DNSSEC is implemented (#3801). Then there could be integration with FreeIPA certificate framework. Adding Petr Spacek to CC.

This ticket was implemented as part of #4328. Closing as duplicate.

Duplicate - do not clone this one.

Metadata Update from @erinn:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.0 GA

7 years ago

Login to comment on this ticket.

Metadata