diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1d6fcd1..299d531 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -7,7 +7,7 @@ jobs: strategy: matrix: os: [ ubuntu-latest, macos-latest, windows-latest ] - go: [ 1.15.x, 1.16.x ] + go: [ 1.21.x ] resolver: [ stub, unbound ] exclude: - os: windows-latest @@ -59,4 +59,4 @@ jobs: uses: coverallsapp/github-action@master with: github-token: ${{ secrets.github_token }} - parallel-finished: true \ No newline at end of file + parallel-finished: true diff --git a/README.md b/README.md index a783e8d..5470531 100644 --- a/README.md +++ b/README.md @@ -1,14 +1,13 @@ # Let's DANE + Coverage Status - + **Note: Let's DANE is still under development, use at your own risk.** - Let's DANE enables the use of [DANE (DNS Based Authentication of Named Entities)](https://tools.ietf.org/html/rfc6698) in browsers and other apps using a lightweight proxy. It currently supports DANE-EE and works with self-signed certificates. -



@@ -16,11 +15,10 @@ Let's DANE enables the use of [DANE (DNS Based Authentication of Named Entities)

-This domain is DNSSEC signed with ed25519 in an experimental decentralized alternate root zone, handshake.org. +This domain is DNSSEC signed with ed25519 in an experimental decentralized alternate root zone, handshake.org.

-

Let's DANE verified DNSSEC
@@ -32,16 +30,15 @@ torproject.org with DANE-EE validated certificate ## How it works - Let's DANE acts as a trusted intermediary between the browser and DANE enabled sites. It will check if a domain supports it, and generate a certificate on the fly if the authentication was successful. The connection will remain encrypted between you and the end server. If a website doesn't support DANE, its original certificate will be served instead. - You are essentially trusting your own private certificate authority. You can install it in your browser's CA store to issue certificates for successful DANE authentications. ## Features + - [x] Full DANE-EE support including self-signed certificates ([RFC6698](https://tools.ietf.org/html/rfc6698), [RFC7671](https://tools.ietf.org/html/rfc7671)) - [x] Client-side DNSSEC validation using libunbound -- [x] Prevents downgrade attacks to traditional CAs +- [x] Prevents downgrade attacks to traditional CAs - [x] Lightweight DANE tunnels that work with most protocols and with ALPN support. - [ ] Happy Eyeballs v2 ([RFC8305](https://tools.ietf.org/html/rfc8305)) @@ -49,8 +46,7 @@ You are essentially trusting your own private certificate authority. You can ins You can build the latest version from source for now. binaries in releases are not up to date yet. - -Go 1.15+ is required. (unbound is optional omit `-tags unbound` to use AD bit only) +Go 1.21+ is required. (unbound is optional omit `-tags unbound` to use AD bit only) ```bash apt install libunbound-dev @@ -58,24 +54,21 @@ git clone https://github.com/buffrr/letsdane.git && cd letsdane/cmd/letsdane go build -tags unbound ``` - ## Quick Usage -Let's DANE will generate a CA and store it in `~/.letsdane` when you start it for the first time. +Let's DANE will generate a CA and store it in `~/.letsdane` when you start it for the first time. To start the proxy server: - $ letsdane -r 1.1.1.1 - + letsdane -r 1.1.1.1 -* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) +- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) -* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. +- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. -If you don't specify a resolver, letsdane will use the system resolver settings from `/etc/resolv.conf` and fallback to root hints. +If you don't specify a resolver, letsdane will use the system resolver settings from `/etc/resolv.conf` and fallback to root hints. If letsdane is compiled with libunbound, all queries are DNSSEC validated with a hardcoded ICANN 2017 KSK (you can set trust anchor file by setting `-anchor` option) -Use `letsdane -help` to see command line options. - +Use `letsdane -help` to see command line options. ## Using with Handshake root zone @@ -83,25 +76,21 @@ Currently, there are two ways to use letsdane with Handshake: ### 1. Using hsd/hnsd (recommended) +You can use [hsd](https://github.com/handshake-org/hsd) or [hnsd](https://github.com/handshake-org/hnsd). Specify address:port of the handshake resolver. You must have it local on your machine or use sig0. -You can use [hsd](https://github.com/handshake-org/hsd) or [hnsd](https://github.com/handshake-org/hnsd). Specify address:port of the handshake resolver. You must have it local on your machine or use sig0. - -Optionally use `-skip-icann` to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers). +Optionally use `-skip-icann` to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers). Assuming hnsd is listening on '127.0.0.1:5350' - $ letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann - + letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann -* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) - -* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. +- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) +- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. If you use hsd, you can optionally use sig0 by specifying the public key `public_key@ip:port` - $ letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann - + letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann Firefox creates a separate CA store for each profile, so it's recommended to use that if you want the CA to only be trusted by a specific profile. @@ -109,35 +98,30 @@ Firefox creates a separate CA store for each profile, so it's recommended to use You can use any DoH resolver **that you trust**. The resolver must support Handshake if you want Handshake domains to work. - ``` -$ letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann +letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann ``` +- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) -* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png)) - -* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. - +- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location. ### DANE-EE Sites - -* FreeBSD: https://freebsd.org -* Tor Project: https://torproject.org + +- FreeBSD: +- Tor Project: handshake -* https://3b -* https://letsdane -* https://proofofconcept -* https://humbly +- +- +- +- ### DANE Tools - -* danectl: https://raf.org/danectl (helper tool for certbot & letsencrypt) -* other: https://www.huque.com/pages/tools.html (various DANE tools) - +- danectl: (helper tool for certbot & letsencrypt) +- other: (various DANE tools) ## Docker @@ -157,15 +141,14 @@ To start a container with proxy on port `8080` with certs in the dane directory --restart unless-stopped \ letsdane -verbose - ## Threat Model -The proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely) +The proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely) ## Use of resolvers -letsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider. -If you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you, +letsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider. +If you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you, you can use `-skip-dnssec` (you should know what you're doing because this can be dangerous!) If you use `-skip-dnssec`, letsdane will use the Authenticated Data flag. @@ -175,12 +158,11 @@ If you use `-skip-dnssec`, letsdane will use the Authenticated Data flag. I wanted to try DANE, but no browser currently supports it. It may still be a long way to go for browser support, but if you want to try it now you can! ## Contributing -Contributions are welcome! + +Contributions are welcome! ## Credits Thanks to the awesome [miekg/dns](https://github.com/miekg/dns) package. Even though TLS proxies are not new, the [GNU Naming System](https://gnunet.org/en/gns.html) has prior art on this since they also use a TLS proxy to make their domains work in other applications, but their naming system is very different from traditional DNS. - - diff --git a/go.mod b/go.mod index 7560b30..a9cb0f0 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,16 @@ module github.com/buffrr/letsdane -go 1.15 +go 1.21 require ( github.com/buffrr/hsig0 v0.0.0-20200928223456-eca10c3b5481 github.com/miekg/dns v1.1.31 github.com/miekg/unbound v0.0.0-20180419064740-e2b53b2dbcba ) + +require ( + github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect + golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect + golang.org/x/net v0.0.0-20190923162816-aa69164e4478 // indirect + golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe // indirect +)