power-mailinabox/setup
Joshua Tauberer 178c587654 Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm
* Stop generating RSASHA1-NSEC3-SHA1 keys on new installs since it is no longer recommended, but preserve the key on existing installs so that we continue to sign zones with existing keys to retain the chain of trust with existing DS records.
* Start generating ECDSAP256SHA256 keys during setup, the current best practice (in addition to RSASHA256 which is also ok). See https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1 and https://www.cloudflare.com/dns/dnssec/ecdsa-and-dnssec/.
* Sign zones using all available keys rather than choosing just one based on the TLD to enable rotation/migration to the new key and to give the user some options since not every registrar/TLD supports every algorithm.
* Allow a user to drop a key from signing specific domains using DOMAINS= in our key configuration file. Signing the zones with extraneous keys may increase the size of DNS responses, which isn't ideal, although I don't know if this is a problem in practice. (Although a user can delete the RSASHA1-NSEC3-SHA1 key file, the other keys will be re-generated on upgrade.)
* When generating zonefiles, add a hash of all of the DNSSEC signing keys so that when the keys change the zone is definitely regenerated and re-signed.
* In status checks, if DNSSEC is not active (or not valid), offer to use all of the keys that have been generated (for RSASHA1-NSEC3-SHA1 on existing installs, RSASHA256, and now ECDSAP256SHA256) with all digest types, since not all registers support everything, but list them in an order that guides users to the best practice.
* In status checks, if the deployed DS record doesn't use a ECDSAP256SHA256 key, prompt the user to update their DS record.
* In status checks, if multiple DS records are set, only fail if none are valid. If some use ECDSAP256SHA256 and some don't, remind the user to delete the DS records that don't.
* Don't fail if the DS record uses the SHA384 digest (by pre-generating a DS record with that digest type) but don't recommend it because it is not in the IANA mandatory list yet (https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml).

See #1953
2021-04-12 19:42:12 -04:00
..
bootstrap.sh v0.53 2021-04-11 12:45:37 -04:00
dkim.sh Enable sending DMARC failure reports (#1929) 2021-02-28 08:21:15 -05:00
dns.sh Migrate to the ECDSAP256SHA256 (13) DNSSEC algorithm 2021-04-12 19:42:12 -04:00
firstuser.sh Rename tools/mail.py to management/cli.py 2020-10-29 15:41:54 -04:00
functions.sh [backport] Add rate limiting of SSH in the firewall (#1770) 2020-07-29 10:24:23 -04:00
mail-dovecot.sh Raise Dovecot per user connection limit (#1799) 2020-07-27 06:37:52 -04:00
mail-postfix.sh Downgrade TLS settings for port 25, partially reverting f53b18ebb9 2020-01-20 14:52:23 -05:00
mail-users.sh Remove unique key constraint on foreign key user_id in mfa table 2020-09-29 19:39:40 +02:00
management.sh Enable Backblaze B2 backups 2021-02-28 08:04:14 -05:00
migrate.py Remove unique key constraint on foreign key user_id in mfa table 2020-09-29 19:39:40 +02:00
munin.sh Fix upgrade issue broken by 802e7a1f4d 2019-12-01 17:44:12 -05:00
network-checks.sh prevent apt from asking the user any questions 2015-02-13 13:41:52 +00:00
nextcloud.sh Fixes unbound variable when upgrading from Nextcloud 13 (#1913) 2021-02-06 16:49:43 -05:00
preflight.sh Better return codes after errors in the setup scripts (#1741) 2020-04-11 14:18:44 -04:00
questions.sh Fix some more $DEFAULT_PUBLIC_IP issues (#1494) 2018-12-26 15:39:47 -05:00
spamassassin.sh Implement SPF/DMARC checks, add spam weight to those mails (#1836) 2020-12-25 17:22:24 -05:00
ssl.sh only set the CN field when generating initial CSR to prevent issues with the php7 ppa version of openssl (#1223) 2017-07-30 08:11:39 -04:00
start.sh MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00
system.sh Enable Backblaze B2 backups 2021-02-28 08:04:14 -05:00
web.sh MTA-STS tweaks, add status check using postfix-mta-sts-resolver, change to enforce 2020-05-29 15:36:52 -04:00
webmail.sh Update roundcube to 1.4.11 2021-02-28 08:14:17 -05:00
zpush.sh Update zpush to 2.6.2 2021-02-28 08:05:40 -05:00