This is an experimental Internet security standards thread for anyone willing to discuss, implement, help newbies or learn more about Internet security standards.
>DNS
Who among you are using DNSSEC [1, 2] already? Have you considered TLSA (DANE [3]), SSHFP [4], OPENPGPKEY [5] resource records (RRs) yet?
>HTTP
Who among you are running your own Web server? Do you secure your traffic with TLS and HTTP security headers? Do you use HSTS [6] to enforce a secure connection? Do use HPKP [7] for certificate pinning? Do you use CSP [8] to enforce content restrictions?
Who among you are running your own mail server (MTA)? Do you secure your traffic with (START)TLS? Do you use SPF [9] to restrict only authorised hosts to send mails? Do you use DKIM [10] to cryptographically verify message authenticity? Do you use DMARC [11] to set domain-level message handling policies?
Share your thoughts!
>Newbies section
There are numerous introductory videos about DNSSEC [12, 13], SPF [14], DKIM [15] and DMARC [16] to familiarise yourself more with. There are also numerous websites [17, 18, 19, 20, 21] that can help you check your server's security.
[1] https://tools.ietf.org/html/rfc4033
[2] http://www.dnssec.net/
[3] https://tools.ietf.org/html/rfc6698
[4] https://tools.ietf.org/html/rfc4255
[5] https://tools.ietf.org/html/rfc7929
[6] https://tools.ietf.org/html/rfc6797
[7] https://tools.ietf.org/html/rfc7469
[8] https://www.w3.org/TR/CSP2/
[9] https://tools.ietf.org/html/rfc7208
[10] https://tools.ietf.org/html/rfc6376
[11] https://tools.ietf.org/html/rfc7489
[12] https://www.youtube.com/watch?v=lTABuMxO2AM
[13] https://www.youtube.com/watch?v=qlto6GfZEvA
[14] https://www.youtube.com/watch?v=WFPYrAr1boU
[15] https://www.youtube.com/watch?v=yHv1OPcc-gw
[16] https://www.youtube.com/watch?v=kGk-Af_92Bk
[17] http://dnsviz.net/
[18] https://www.ssllabs.com/ssltest/index.html
[19] https://internet.nl/
[20] https://securityheaders.io/
[21] https://www.mail-tester.com/
How can I enable DNSSEC without being MITM'd by Cloudflare or similar CDN's?
>>61609893
>DNSSEC
Yes
>TLSA (DANE), SSHFP, OPENPGPKEY
No
>own Web server, TLS, HTTP security headers, HSTS, CSP
Yes
>HPKP
No
>own mail server, TLS, SPF, DKIM, DMARC
Yes
>>61610036
DNSSEC just involves adding keys in DNS resource records. It has nothing to do with the primary services of cloudflare
>>61609893
>Do you use HSTS [6] to enforce a secure connection?
Yea but I'm too lazy to update the expired certificate. Can't even access the website myself.
>>61610036
You need to run your own resolver then
>>61610036
Consider running your own Unbound with DNSSEC enabled. https://unbound.net/