letsdane

package module

v0.6.1 Latest Latest Go to latest Published: Sep 23, 2021 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/buffrr/letsdane

Links

Open Source Insights

README ¶

Let's DANE

Note: Let's DANE is still under development, use at your own risk.

Let's DANE enables the use of DANE (DNS Based Authentication of Named Entities) in browsers and other apps using a lightweight proxy. It currently supports DANE-EE and works with self-signed certificates.

Let's DANE Handshake

This domain is DNSSEC signed with ed25519 in an experimental decentralized alternate root zone, handshake.org.

Let's DANE verified DNSSEC

torproject.org with DANE-EE validated certificate

How it works

Let's DANE acts as a trusted intermediary between the browser and DANE enabled sites. It will check if a domain supports it, and generate a certificate on the fly if the authentication was successful. The connection will remain encrypted between you and the end server. If a website doesn't support DANE, its original certificate will be served instead.

You are essentially trusting your own private certificate authority. You can install it in your browser's CA store to issue certificates for successful DANE authentications.

Features

Full DANE-EE support including self-signed certificates (RFC6698, RFC7671)
Client-side DNSSEC validation using libunbound
Prevents downgrade attacks to traditional CAs
Lightweight DANE tunnels that work with most protocols and with ALPN support.
Happy Eyeballs v2 (RFC8305)

Build from source

You can build the latest version from source for now. binaries in releases are not up to date yet.

Go 1.15+ is required. (unbound is optional omit -tags unbound to use AD bit only)

apt install libunbound-dev
git clone https://github.com/buffrr/letsdane.git && cd letsdane/cmd/letsdane
go build -tags unbound

Quick Usage

Let's DANE will generate a CA and store it in ~/.letsdane when you start it for the first time. To start the proxy server:

$ letsdane -r 1.1.1.1

Add Let's DANE proxy to your web browser 127.0.0.1:8080 (Firefox example)
Import the certificate file into your browser certificate store (Firefox example). You can use letsdane -o myca.crt to export the public cert file to a convenient location.

If you don't specify a resolver, letsdane will use the system resolver settings from /etc/resolv.conf and fallback to root hints. If letsdane is compiled with libunbound, all queries are DNSSEC validated with a hardcoded ICANN 2017 KSK (you can set trust anchor file by setting -anchor option)

Use letsdane -help to see command line options.

Using with Handshake root zone

Currently, there are two ways to use letsdane with Handshake:

1. Using hsd/hnsd (recommended)

You can use hsd or hnsd. Specify address:port of the handshake resolver. You must have it local on your machine or use sig0.

Optionally use -skip-icann to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers).

Assuming hnsd is listening on '127.0.0.1:5350'

$ letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann

Add Let's DANE proxy to your web browser 127.0.0.1:8080 (Firefox example)
Import the certificate file into your browser certificate store (Firefox example). You can use letsdane -o myca.crt to export the public cert file to a convenient location.

If you use hsd, you can optionally use sig0 by specifying the public key public_key@ip:port

$ letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann

Firefox creates a separate CA store for each profile, so it's recommended to use that if you want the CA to only be trusted by a specific profile.

2. Using DoH

You can use any DoH resolver that you trust. The resolver must support Handshake if you want Handshake domains to work.

$ letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann

Add Let's DANE proxy to your web browser 127.0.0.1:8080 (Firefox example)
Import the certificate file into your browser certificate store (Firefox example). You can use letsdane -o myca.crt to export the public cert file to a convenient location.

DANE-EE Sites

FreeBSD: https://freebsd.org
Tor Project: https://torproject.org

handshake

DANE Tools

danectl: https://raf.org/danectl (helper tool for certbot & letsencrypt)
other: https://www.huque.com/pages/tools.html (various DANE tools)

Docker

Building an image

To build a Docker image run:

git clone https://github.com/buffrr/letsdane
cd letsdane && docker build -t letsdane .

Running a container

To start a container with proxy on port 8080 with certs in the dane directory run:

docker run --name letsdane -dp 127.0.0.1:8080:8080 \
  -v "$(pwd)"/dane:/root/.letsdane \
  --restart unless-stopped \
  letsdane -verbose

Threat Model

The proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely)

Use of resolvers

letsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider. If you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you, you can use -skip-dnssec (you should know what you're doing because this can be dangerous!)

If you use -skip-dnssec, letsdane will use the Authenticated Data flag.

Why?

I wanted to try DANE, but no browser currently supports it. It may still be a long way to go for browser support, but if you want to try it now you can!

Contributing

Contributions are welcome!

Credits

Thanks to the awesome miekg/dns package.

Even though TLS proxies are not new, the GNU Naming System has prior art on this since they also use a TLS proxy to make their domains work in other applications, but their naming system is very different from traditional DNS.

Documentation ¶

Index ¶

Variables
func NewAuthority(name, organization string, validity time.Duration, ...) (*x509.Certificate, *rsa.PrivateKey, error)
type Config
- func (c *Config) NewHandler() (*proxy.Handler, error)
- func (c *Config) Run(addr string) error

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	// Version the current version
	Version = "(untracked dev)"
)

Functions ¶

func NewAuthority ¶

func NewAuthority(name, organization string, validity time.Duration, constraints map[string]struct{}) (*x509.Certificate, *rsa.PrivateKey, error)

NewAuthority creates a new CA certificate and associated private key.

Types ¶

type Config ¶

type Config struct {
	Certificate    *x509.Certificate
	PrivateKey     interface{}
	Validity       time.Duration
	Resolver       resolver.Resolver
	Constraints    map[string]struct{}
	SkipNameChecks bool
	Verbose        bool

	// For handling relative urls/non-proxy requests
	ContentHandler http.Handler
}

func (*Config) NewHandler ¶ added in v0.5.0

func (c *Config) NewHandler() (*proxy.Handler, error)

func (*Config) Run ¶

func (c *Config) Run(addr string) error

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
letsdane
proxy
resolver

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL