Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use Go1.21 #30

Merged
merged 3 commits into from
Oct 20, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ jobs:
strategy:
matrix:
os: [ ubuntu-latest, macos-latest, windows-latest ]
go: [ 1.15.x, 1.16.x ]
go: [ 1.21.x ]
resolver: [ stub, unbound ]
exclude:
- os: windows-latest
Expand Down Expand Up @@ -59,4 +59,4 @@ jobs:
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.github_token }}
parallel-finished: true
parallel-finished: true
88 changes: 35 additions & 53 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,26 +1,24 @@
# Let's DANE

<a href="https://goreportcard.com/report/github.com/buffrr/letsdane"><img src="https://goreportcard.com/badge/github.com/buffrr/letsdane"/></a>
<a href='https://coveralls.io/github/buffrr/letsdane?branch=master'><img src='https://coveralls.io/repos/github/buffrr/letsdane/badge.svg?branch=master' alt='Coverage Status' /></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg"/></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache%202.0-blue.svg"/></a>

**Note: Let's DANE is still under development, use at your own risk.**


Let's DANE enables the use of [DANE (DNS Based Authentication of Named Entities)](https://tools.ietf.org/html/rfc6698) in browsers and other apps using a lightweight proxy. It currently supports DANE-EE and works with self-signed certificates.


<p align="center">
<br>
<br>
<img src="https://user-images.githubusercontent.com/41967894/117558135-46a37100-b02f-11eb-8bda-80d26b7acba2.png" width="450px" alt="Let's DANE Handshake"/>
</p>

<p align="center">
This domain is DNSSEC signed with <a href="https://ed25519.nl/">ed25519</a> in an experimental decentralized alternate root zone, handshake.org.
This domain is DNSSEC signed with <a href="https://ed25519.nl/">ed25519</a> in an experimental decentralized alternate root zone, handshake.org.
<br><br>
</p>


<p align="center">
<img src="https://user-images.githubusercontent.com/41967894/117558143-5fac2200-b02f-11eb-8222-5dc41033b3f4.png" width="450px" alt="Let's DANE verified DNSSEC"/><br/>

Expand All @@ -32,112 +30,98 @@ torproject.org with DANE-EE validated certificate

## How it works


Let's DANE acts as a trusted intermediary between the browser and DANE enabled sites. It will check if a domain supports it, and generate a certificate on the fly if the authentication was successful. The connection will remain encrypted between you and the end server. If a website doesn't support DANE, its original certificate will be served instead.


You are essentially trusting your own private certificate authority. You can install it in your browser's CA store to issue certificates for successful DANE authentications.

## Features

- [x] Full DANE-EE support including self-signed certificates ([RFC6698](https://tools.ietf.org/html/rfc6698), [RFC7671](https://tools.ietf.org/html/rfc7671))
- [x] Client-side DNSSEC validation using libunbound
- [x] Prevents downgrade attacks to traditional CAs
- [x] Prevents downgrade attacks to traditional CAs
- [x] Lightweight DANE tunnels that work with most protocols and with ALPN support.
- [ ] Happy Eyeballs v2 ([RFC8305](https://tools.ietf.org/html/rfc8305))

## Build from source

You can build the latest version from source for now. binaries in releases are not up to date yet.


Go 1.15+ is required. (unbound is optional omit `-tags unbound` to use AD bit only)
Go 1.21+ is required. (unbound is optional omit `-tags unbound` to use AD bit only)

```bash
apt install libunbound-dev
git clone https://github.com/buffrr/letsdane.git && cd letsdane/cmd/letsdane
go build -tags unbound
```


## Quick Usage

Let's DANE will generate a CA and store it in `~/.letsdane` when you start it for the first time.
Let's DANE will generate a CA and store it in `~/.letsdane` when you start it for the first time.
To start the proxy server:

$ letsdane -r 1.1.1.1

letsdane -r 1.1.1.1

* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))
- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))

* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.
- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.

If you don't specify a resolver, letsdane will use the system resolver settings from `/etc/resolv.conf` and fallback to root hints.
If you don't specify a resolver, letsdane will use the system resolver settings from `/etc/resolv.conf` and fallback to root hints.
If letsdane is compiled with libunbound, all queries are DNSSEC validated with a hardcoded ICANN 2017 KSK (you can set trust anchor file by setting `-anchor` option)

Use `letsdane -help` to see command line options.

Use `letsdane -help` to see command line options.

## Using with Handshake root zone

Currently, there are two ways to use letsdane with Handshake:

### 1. Using hsd/hnsd (recommended)

You can use [hsd](https://github.com/handshake-org/hsd) or [hnsd](https://github.com/handshake-org/hnsd). Specify address:port of the handshake resolver. You must have it local on your machine or use sig0.

You can use [hsd](https://github.com/handshake-org/hsd) or [hnsd](https://github.com/handshake-org/hnsd). Specify address:port of the handshake resolver. You must have it local on your machine or use sig0.

Optionally use `-skip-icann` to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers).
Optionally use `-skip-icann` to skip TLSA lookups for ICANN tlds and prevent the generated CA from issuing certificates for ICANN tlds (recommended hnsd is still experimental and also this will not break some legacy domains using poorly configured nameservers).

Assuming hnsd is listening on '127.0.0.1:5350'

$ letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann

letsdane -r 127.0.0.1:5350 -skip-dnssec -skip-icann

* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))

* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.
- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))

- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.

If you use hsd, you can optionally use sig0 by specifying the public key `public_key@ip:port`

$ letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann

letsdane -r aj7bjss4ae6hd3kdxzl4f6klirzla377uifxu5mnzczzk2v7p76ek@192.168.1.22:5350 -skip-icann

Firefox creates a separate CA store for each profile, so it's recommended to use that if you want the CA to only be trusted by a specific profile.

### 2. Using DoH

You can use any DoH resolver **that you trust**. The resolver must support Handshake if you want Handshake domains to work.


```
$ letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann
letsdane -r https://easyhandshake.com:8053 -skip-dnssec -skip-icann
```

- Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))

* Add Let's DANE proxy to your web browser `127.0.0.1:8080` ([Firefox example](https://user-images.githubusercontent.com/41967894/117558156-8f5b2a00-b02f-11eb-98ba-91ce8a9bdd4a.png))

* Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.

- Import the certificate file into your browser certificate store ([Firefox example](https://user-images.githubusercontent.com/41967894/117558164-a7cb4480-b02f-11eb-93ed-678f81f25f2e.png)). You can use `letsdane -o myca.crt` to export the public cert file to a convenient location.

### DANE-EE Sites
* FreeBSD: https://freebsd.org
* Tor Project: https://torproject.org

- FreeBSD: <https://freebsd.org>
- Tor Project: <https://torproject.org>

handshake

* https://3b
* https://letsdane
* https://proofofconcept
* https://humbly
- <https://3b>
- <https://letsdane>
- <https://proofofconcept>
- <https://humbly>

### DANE Tools


* danectl: https://raf.org/danectl (helper tool for certbot & letsencrypt)
* other: https://www.huque.com/pages/tools.html (various DANE tools)

- danectl: <https://raf.org/danectl> (helper tool for certbot & letsencrypt)
- other: <https://www.huque.com/pages/tools.html> (various DANE tools)

## Docker

Expand All @@ -157,15 +141,14 @@ To start a container with proxy on port `8080` with certs in the dane directory
--restart unless-stopped \
letsdane -verbose


## Threat Model
The proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely)

The proxy is intended to be installed locally on your machine, and the generated CA should only be used on that machine. letsdane assumes that your user account is secure (even without letsdane, your user account must not be compromised to be able to use a browser securely)

## Use of resolvers

letsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider.
If you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you,
letsdane uses libunbound to validate DNSSEC, so you don't need to trust any dns provider.
If you already have a local DNSSEC capable resolver, and you don't want letsdane to validate dnssec for you,
you can use `-skip-dnssec` (you should know what you're doing because this can be dangerous!)

If you use `-skip-dnssec`, letsdane will use the Authenticated Data flag.
Expand All @@ -175,12 +158,11 @@ If you use `-skip-dnssec`, letsdane will use the Authenticated Data flag.
I wanted to try DANE, but no browser currently supports it. It may still be a long way to go for browser support, but if you want to try it now you can!

## Contributing
Contributions are welcome!

Contributions are welcome!

## Credits

Thanks to the awesome [miekg/dns](https://github.com/miekg/dns) package.

Even though TLS proxies are not new, the [GNU Naming System](https://gnunet.org/en/gns.html) has prior art on this since they also use a TLS proxy to make their domains work in other applications, but their naming system is very different from traditional DNS.


9 changes: 8 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
@@ -1,9 +1,16 @@
module github.com/buffrr/letsdane

go 1.15
go 1.21

require (
github.com/buffrr/hsig0 v0.0.0-20200928223456-eca10c3b5481
github.com/miekg/dns v1.1.31
github.com/miekg/unbound v0.0.0-20180419064740-e2b53b2dbcba
)

require (
github.com/decred/dcrd/dcrec/secp256k1/v3 v3.0.0 // indirect
golang.org/x/crypto v0.0.0-20200820211705-5c72a883971a // indirect
golang.org/x/net v0.0.0-20190923162816-aa69164e4478 // indirect
golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe // indirect
)
Loading