[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Re: whonix.org DNSSEC/DANE

Dear readers of the debain-security mailing list

I have recently described on how to set up a secure emailing terminal at https://www.elstel.org/DANE/. Since then I have got dozens of replies from people who said that they did not receive my emails before, not even in the spam folder. There are only two people whom I could still not reach. One of them is Patrick Schleizer. He normally always responds to me but I know he is reading debian-security and that is why I have decided to write you today. The email was on how easy it is to enable DANE for a custom domain: enable DNSSEC and provide a TLSA record. The other contact is Claudio Guarnieri. He also works in a security related context. He appears not to have received my emails though I sent out the same email a dozen of times.

Yours Sincerely,
Elmar Stellnberger

-------- Originalnachricht --------
Betreff: Re: whonix.org DNSSEC/DANE
Datum: 08.03.2020 07:55
Von: estellnb@elstel.org
An: Patrick Schleizer <adrelanos@riseup.net>

Am 29.12.2019 10:43, schrieb Elmar Stellnberger:
Hallo Patrick

  Also wenn deine Domain DNSSEC unterstützt, dann ist DANE Support
watscheneinfach zu haben:

Ich verwende immer DANE-EE & Use full certificate. Das ist auf der
Kommandozeile am einfachsten zu überprüfen. Mein TLSA Eintrag sieht
dann folgendermaßen aus:

$ drill m.root-servers.net +trusted-key=/usr/share/dns/root.key
+topdown +sigchase TLSA _443._tcp.elstel.org | egrep -v "^$|^;"
_443._tcp.elstel.org.   19819   IN      TLSA    3 0 1

siehe auch:

so geht es auch:
dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA

Gutes neues Jahr und schöne verbleibende Festtage wünscht Dir

Am 02.09.19 um 15:55 schrieb Patrick Schleizer:
Elmar Stellnberger:
P.S.: Wie sieht es mit der Unterstützung von DANE auf whonix.org aus?
Ich habe gesehen, daß Domain-Provider wie inwx.de inzwischen schon
DNSSEC/DANE unterstützen.

DNSSEC sieht gut aus.


DANE: noch nicht



Naja, ist halt ein Hetzner Server. Nichts gegen Hetzner, aber viel
Sicherheit kann man heutzutage von keinem Serveranbieter erwarten.

-------- Originalnachricht --------
Betreff: Re: analysis of a complete rootkit
Datum: 08.03.2020 07:54
Von: estellnb@elstel.org
An: Nex <nex@nex.sx>

Dear Claudio Guarnieri

I just wanted to ask you whether you know about the current mass surveillance plaintiff against the BND? The EFF has said it could even become a legal precedent for US law. As you care about the analysis of rootkits I thought you could be interested. Please respond shortly to my email so that I will know whether you have received it. I have sent you this email now a dozen of times without getting a reply. Please look at https://www.elstel.org/DANE/ and https://www.elstle.org/atea/ and on the message I will post on debian-security in some time on how to get a secure emailing client. You are one of two contacts who does not respond. All others (dozens) have responded me since I have secure DANE emailing.

Best Regards,

Reply to: