back to article Uncle Sam emits DNS email security guide – now speak your brains

The US National Cybersecurity Center of Excellence (NCCoE) has published a guide on how to improve email security – and it wants your feedback on it. The center is part of NIST – America's National Institute of Standards and Technology – which itself part of the US Department of Commerce. The NCCoE has put out its "draft …

  1. Drew 11

    Fingers crossed this convinces the browser operators to finally bake DANE into their offerings.

    Are you in Hyderabad, Kieran? Anyone from Mozilla there? How about cornering the Google rep and asking for a comment regarding their lack of DANE support? :^)

    1. Eddy Ito

      Chrome had DNSSEC support but it has been removed. It seems to have suffered the chicken - egg problem.

  2. Andrew Commons

    The goal of this project is to help organizations

    Consumers are still left out in the cold. Until such time we see end-to-end measures wide spread at the consumer level email will still be the playground of the criminals.

  3. JunkEb

    Really?

    "President Clinton"? The election is a week away yet and the race isn't even close to being won.

    1. Version 1.0 Silver badge
      Unhappy

      Re: Really?

      True, if it's anything like the 2000 election we may not know until December - and, since the Supreme Court is short a vote, maybe not even then.

      Whoever wins - it's certain that it's going to be a shitstorm.

    2. Robert Carnegie Silver badge

      President Clinton

      hey said "we're betting" that will be the case, but they also may have meant the other President Clinton. Or Prime Minister George Clinton. Or Vice-President George Clinton. But some of these answers are unlikely.

  4. streaky

    Crypto.

    NSA must love that.

    Serious note isn't all this standard practice? Much as I'd like to go through it and tear shreds, first glance bullets points certainly are..

  5. Anonymous Coward
    Anonymous Coward

    Cliff Notes please

    241 pages? Can I get a section that actually explains how to configure the handful of servers I use (BIND, Postfix, Dovecot) to support all that fun encryption stuff (DNSSEC, server2server mail encryption).

    Yes, I see there's a huge section on how to configure a lot of those common servers, but some of them are really lacking. The BIND, Postfix, and Dovecot sections alone spend almost all of their time explaining compile switches and almost none on the actual configuration. It doesn't even mention DNSSEC for BIND.

    1. Matt34

      Re: Cliff Notes please

      In order to implement DNSSEC using Bind 9.9.X or 9.10.X would require scripts to sign and re-sign every time you change your zone files. Bind 9.11.X includes a degree of automation, policy enforcement and a soft HSM to store the Private portions of your Key Signing Keys and Zone Signing Keys. If you are a commercial organisation I would suggest you consider using Infoblox which makes DNSSEC zone signing a single button press, and you can integrate with hardware HSMs so the signing process is off the box.

      Using a Cloud based DNS service provider would allow you sign your Zones, add TLSA records to validate your Self Signed CA Public Certificate and Server Certificates, add SSH Fingerprints (SSHFP records), Certificate records (CERT records), CDKEY and CDS records. Unfortunately as a prime target for compromise, the provider will get hacked.

  6. Anonymous Coward
    Anonymous Coward

    A good start...

    Would be to get an e-mail encryption standard adopted. I use PGP mail from a Mac (which supports what's suggested), but Outlook just tags signed messages with an icon to show they are signed - this might sound good, but it doesn't actually verify the signature...

  7. sequester

    Because DNS works so well. All the fancy little schemes abusing DNS seem to be based around the idea of DNSSEC which, so far, has massive issues (ISP caches break every time keys roll over, management is a nightmare, registries even more so). Looking at the enthusiasm of providers to implement or support that abortion, it may not be something you'll want to base your communication on.

    As a first step, it would be nice if it was possible to use TLS between mail servers, but even that fails horribly with many servers not even supporting TLS 1.0 (try using ECDSA or even just SHA-2 on your production systems, I dare you) and not falling back to unencrypted transport when they realise that your system doesn't support export ciphers or other stone-age shenanigans.

  8. captain_solo

    You almost have to resort to kernel level SSL or some hardware assisted method to achieve machine to machine even inside your own network because the compatibility issues in software is ridiculous, plus then passing that traffic through different load balancers, routers, etc, and trying to communicate without having to strip the SSL or offload the certs to a network device seems like something that many enterprises are unable to figure out.

    I have worked with a third party card on Linux systems, and the built in on-chip encryption on Sun SPARC but even there its an alphabet soup of supported certs and protocols and you are lucky if your software supports the methods you can offload to those methods.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like