[dns-operations] Another whitepaper on DDOS

[john]

On 2/24/13 12:23 AM, Vernon Schryver wrote:
> I wonder if DANE could have prevented Microsoft's recent difficulty
> with expired SSL certs.
> https://www.google.com/search?tbm=nws&as_q=microsoft+azure+ssl
> Instead of an annual bout with internal purchase order and invoice red
> tape and with red tape at the CA, could Microsoft have automated the
> generation of certs and fingerprint TLSA RRs just as many automate
> their generation of zone signing RRSIG RRs?
> (Never mind that microsoft.com lacks RRSIG RRs.)
I started working on something like this using cfengine.  creating the
certificates, checking the expiry and regenerating a certificate is
fairly trivial[1].  I didn't get around to automating the publication of
the TSLA as the requirements changed a little. However this was the high
level process i was thinking of.

  * When certificate is due to expire in 30 or less days generate a new
one (with a different name $cert.new
  * Add the new TLSA record to zone
  * have a cron job that queries for the TSLA periodically
  *  if there are 2 TLSA records
     - check website to see which cert is currently in use
     - check for .new file and validate that it is the other cert
  * create some state.  i.e. NEW TLSA added at X
  * if (current time - X) > TTL
     - move new certificate to the correct location
     - restart web server
     - remove old TSLA

Like i said i didn't get around to implementing this so im sure there
well be some flaws

Regards
John

[1]http://pastebin.com/31impqkc