Monthly Archives: March 2015

DNSSec DANE and hosteurope – impossible to host secure services.

They do not support  DNSSec.  That’s bad.

I host my families E-Mail server, which is a combination of dovecot, postfix, postgrey, nginx, webmailer, etc. It highly depends on CA trusted SSL/TLS-encryption and in order not to be filtered by spam filters the credibility of not beeing  spam.  Therefore I also host my own nameserver with a glue record an set several important records in it, and offer several DNSSec records to provide a reliable chain of trust.  –  with one point of failure: hosteurope.

Not capable to connect my chain to the registrar authothority by publishing my DS Record.
Therefore every authority, bad mood admin or hacker can interrupt the dns pathfinding of clients or usual mail server and man-in-the-middle my setup, generate fake certificates and read my families mail. Thanks to ‘beeing economicly not relevant and therefore nothing we offer’- hosteurope.

In conlusion, all the things I’ve done to increase security have been for nothing – at least until I change my domain host. Which I will do, and highly would advise to everyone who wants to harden their infrastructure after the nsa scandal.