Letsencrypt and TLSA RR / DANE

First of all, I want to say how much I love your service!
Amazing features and I really love the API! Not to mention, that it is free (as in beer and speech :beers: :heart_eyes:)

I use Let’s Encrypt to obtain certificate for all my subdomains using certbot on the server, which works absolutely flawless.

However since my DNS entries are now secure thanks to your service, it would make sense to also add TLSA records with the certifcate in the DNS entry to further protect against Man In The Middle attacks.

  1. Question:
    Is it advisable to enable DANE on normal https websites? Do browsers even check the TLSA record and care about inconsistencies?

As I read here on the Let’s Encrypt Forum and here there are a few issues with using DANE-EE together with Let’s Encrypt.
The main issue being that the certificate renews immediately but the DNS update might take some time to propagate (in the case of desec, only one hour, which seems not that bad).
The currently best option seems to use a fixed public key and renew only certificates, but for security reasons (?) the key might have to be renewed manually every now and then.

  1. Question
    Would it make sense to include a certbot hook that after certificate renewal updates the TLSA via the API and then waits one hour until he replaces the certificate for the DNS entry to be changed?

I have no experience with DNSSEC or DANE and maybe I am overthinking this and it is too much effort for too little effect :sweat_smile:

Hi oscaropen,

Thanks for your message, and welcome to deSEC! :slight_smile: Please excuse the delay in responding.

Unfortunately, TLSA support is not common in browsers. For Firefox and Chrome, there are plugins, but last time I checked, they did not work properly and were not maintained, I believe. However, I didn’t check in a while – so if you find something, do let us know!

There only is a need to rotate your key when there exists the possibility that your key has been compromised. Note that it’s very difficult to categorically exclude this possibility (think of keys ending up in backups etc.). In the end, there is no “right” answer here.

However, I personally think that rotating keys with every certificate renewal is not necessary from a security perspective. I can imagine though that Let’s Encrypt does it this way by default in order to enforce the development of automated solutions. This way, if one needs to rotate a key at some point, the mechanism will already be present. (The same is true about the short certificate lifetimes, which encourage automation. Previously, it was often observed that manual certification rotation was forgotten, so that expired certificates were all over the place.)

That would certainly make a lot of sense! … but we have not gotten around to work on it. There are other more basic things on our plate, such as allowing users to manage their API tokens in a better way (also to encourage automation), or 2-factor authentication. If you’d like to work on this, you would be very welcome!

In any case, the details would have to be thought through carefully. For example, you probably would not want the script to wait (hang) for an hour. Some integration with web server software would probably be helpful. I do not know if any other work already exists in this regard.

Stay secure,