The DNS Resolver Unbound

Unbound [5] is a good DNSSEC-enabled resolver. It is easy to set up, it's quick, and it caches DNS queries. After installation, running unbound-anchor is usually sufficient to load the root certificates for the DNSSEC trust chain. The additional call unbound-control-setup generates local certificates for secure communication of the command-line control program unbound-control, which Unbound manages easily.

After the start, Unbound binds itself to the address of the local host by default. The dig query of a DNSSEC-enabled domain (Listing 3) ensures that Unbound can recognize and verify DNSSEC. The additional ad (authenticated domain) flag in the answer's header area indicates a successful query.

$ dig @localhost +dnssec sys4.de
; <<>> DiG 9.9.5-3-Ubuntu <<>> @localhost +dnssec sys4.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15587
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 3
[...]

Up to the release of this article, Postfix only provided full DANE-SMTP support. The main reason for this is that Viktor Dukhovni, one of the DANE SMTP RFC authors, is also a leading author of Postfix. His reflections on DANE SMTP flowed into Postfix, and he traced his experiences back into the RFC.

Only Postfix from Version 2.11.1

DANE SMTP requires at least Postfix 2.11.1. Once the SMTP client is fundamentally configured for TLS, only a few simple steps are required, and Postfix can handle DANE-SMTP servers. The parameter smtp_dns_support_level instructs Postfix to make DNSSEC-validating queries to the resolver. The new TLS policy sets the dane option for smtp_tls_security_level (Listing 4). With immediate effect, Postfix queries via DNSSEC as to whether the target domain MX(e) records have TLSA RRs and checks to see whether their fingerprints match those of the server.

smtp_dns_support_level = dnssec
smtp_tls_security_level = dane

Enabling TLS Policies

Those who want to publish a TLS policy must enable their domain for DNSSEC. Just over a third of German registrars currently provide the infrastructure to host a DNSSEC-enabled domain. If you're running your own DNS server, you can, of course, also operate DNSSEC-enabled.

The steps required for this also vary depending on the product used: DNSSEC works with the current BIND without any problems. Older name servers (e.g., djbdns) still have problems. In any case, it is important to renew the signatures of a DNSSEC-enabled domain meticulously within your TTL. If the signatures run out without being renewed, the domain will no longer be considered trustworthy, and DNSSEC-enabled resolvers will then ignore all requests.