1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Fwd: Re: whonix.org DNSSEC/DANE

    From estellnb@elstel.org@21:1/5 to All on Fri Mar 13 17:10:01 2020
    Dear readers of the debain-security mailing list

    I have recently described on how to set up a secure emailing terminal
    at https://www.elstel.org/DANE/. Since then I have got dozens of replies
    from people who said that they did not receive my emails before, not
    even in the spam folder. There are only two people whom I could still
    not reach. One of them is Patrick Schleizer. He normally always responds
    to me but I know he is reading debian-security and that is why I have
    decided to write you today. The email was on how easy it is to enable
    DANE for a custom domain: enable DNSSEC and provide a TLSA record. The
    other contact is Claudio Guarnieri. He also works in a security related context. He appears not to have received my emails though I sent out the
    same email a dozen of times.

    Yours Sincerely,
    Elmar Stellnberger

    -------- Originalnachricht --------
    Betreff: Re: whonix.org DNSSEC/DANE
    Datum: 08.03.2020 07:55
    Von: estellnb@elstel.org
    An: Patrick Schleizer <adrelanos@riseup.net>

    Am 29.12.2019 10:43, schrieb Elmar Stellnberger:
    Hallo Patrick

    Also wenn deine Domain DNSSEC unterstützt, dann ist DANE Support
    watscheneinfach zu haben:
    https://ssl-tools.net/tlsa-generator

    Ich verwende immer DANE-EE & Use full certificate. Das ist auf der
    Kommandozeile am einfachsten zu überprüfen. Mein TLSA Eintrag sieht
    dann folgendermaßen aus:

    $ drill m.root-servers.net +trusted-key=/usr/share/dns/root.key
    +topdown +sigchase TLSA _443._tcp.elstel.org | egrep -v "^$|^;"
    _443._tcp.elstel.org. 19819 IN TLSA 3 0 1
    a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865

    siehe auch:
    https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml

    so geht es auch:
    dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA
    _443._tcp.$1

    Gutes neues Jahr und schöne verbleibende Festtage wünscht Dir
    Elmar


    Am 02.09.19 um 15:55 schrieb Patrick Schleizer:
    Elmar Stellnberger:
    P.S.: Wie sieht es mit der Unterstützung von DANE auf whonix.org
    aus?
    Ich habe gesehen, daß Domain-Provider wie inwx.de inzwischen schon
    DNSSEC/DANE unterstützen.


    DNSSEC sieht gut aus.

    https://dnssec-debugger.verisignlabs.com/whonix.org

    DANE: noch nicht

    Generell:

    https://www.whonix.org/wiki/Privacy_Policy_Technical_Details

    Naja, ist halt ein Hetzner Server. Nichts gegen Hetzner, aber viel
    Sicherheit kann man heutzutage von keinem Serveranbieter erwarten.


    -------- Originalnachricht --------
    Betreff: Re: analysis of a complete rootkit
    Datum: 08.03.2020 07:54
    Von: estellnb@elstel.org
    An: Nex <nex@nex.sx>

    Dear Claudio Guarnieri

    I just wanted to ask you whether you know about the current mass surveillance plaintiff against the BND? The EFF has said it could even
    become a legal precedent for US law. As you care about the analysis of
    rootkits I thought you could be interested. Please respond shortly to my
    email so that I will know whether you have received it. I have sent you
    this email now a dozen of times without getting a reply. Please look at https://www.elstel.org/DANE/ and https://www.elstle.org/atea/ and on the message I will post on debian-security in some time on how to get a
    secure emailing client. You are one of two contacts who does not
    respond. All others (dozens) have responded me since I have secure DANE emailing.

    Best Regards,
    Elmar

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)