Dear readers of the debain-security mailing listI have recently described on how to set up a secure emailing terminal at https://www.elstel.org/DANE/. Since then I have got dozens of replies from people who said that they did not receive my emails before, not even in the spam folder. There are only two people whom I could still not reach. One of them is Patrick Schleizer. He normally always responds to me but I know he is reading debian-security and that is why I have decided to write you today. The email was on how easy it is to enable DANE for a custom domain: enable DNSSEC and provide a TLSA record. The other contact is Claudio Guarnieri. He also works in a security related context. He appears not to have received my emails though I sent out the same email a dozen of times.
Yours Sincerely, Elmar Stellnberger -------- Originalnachricht -------- Betreff: Re: whonix.org DNSSEC/DANE Datum: 08.03.2020 07:55 Von: estellnb@elstel.org An: Patrick Schleizer <adrelanos@riseup.net>
Am 29.12.2019 10:43, schrieb Elmar Stellnberger:Hallo Patrick Also wenn deine Domain DNSSEC unterstützt, dann ist DANE Support watscheneinfach zu haben: https://ssl-tools.net/tlsa-generator Ich verwende immer DANE-EE & Use full certificate. Das ist auf der Kommandozeile am einfachsten zu überprüfen. Mein TLSA Eintrag sieht dann folgendermaßen aus: $ drill m.root-servers.net +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA _443._tcp.elstel.org | egrep -v "^$|^;" _443._tcp.elstel.org. 19819 IN TLSA 3 0 1 a8edf0cacaf776acacdfe53564c51556ad325f03a369e4c8f4622b4dc5b06865 siehe auch: https://www.iana.org/assignments/dane-parameters/dane-parameters.xhtml so geht es auch: dig @$dns +trusted-key=/usr/share/dns/root.key +topdown +sigchase TLSA _443._tcp.$1 Gutes neues Jahr und schöne verbleibende Festtage wünscht Dir Elmar Am 02.09.19 um 15:55 schrieb Patrick Schleizer:Elmar Stellnberger:P.S.: Wie sieht es mit der Unterstützung von DANE auf whonix.org aus?Ich habe gesehen, daß Domain-Provider wie inwx.de inzwischen schon DNSSEC/DANE unterstützen.DNSSEC sieht gut aus. https://dnssec-debugger.verisignlabs.com/whonix.org DANE: noch nicht Generell: https://www.whonix.org/wiki/Privacy_Policy_Technical_Details Naja, ist halt ein Hetzner Server. Nichts gegen Hetzner, aber viel Sicherheit kann man heutzutage von keinem Serveranbieter erwarten.
-------- Originalnachricht -------- Betreff: Re: analysis of a complete rootkit Datum: 08.03.2020 07:54 Von: estellnb@elstel.org An: Nex <nex@nex.sx> Dear Claudio GuarnieriI just wanted to ask you whether you know about the current mass surveillance plaintiff against the BND? The EFF has said it could even become a legal precedent for US law. As you care about the analysis of rootkits I thought you could be interested. Please respond shortly to my email so that I will know whether you have received it. I have sent you this email now a dozen of times without getting a reply. Please look at https://www.elstel.org/DANE/ and https://www.elstle.org/atea/ and on the message I will post on debian-security in some time on how to get a secure emailing client. You are one of two contacts who does not respond. All others (dozens) have responded me since I have secure DANE emailing.
Best Regards, Elmar