DNSSEC and DANE are DNS-based security features that should be easy to enable, and it would be nice if the JabRef site would support these. I’m very happy to lend my assistance and provide directions if needed. Please let me know if this is wanted
Thanks for the hint. We will try this asap… @koppor will take a look at this
As far as I know, the domain is linked to the GitHub pages and this is handled by Cloudfare.
I did not find any further information on github, so I guess it’s probably a config thing in Cloudfare.
John, I researched into it and both things are useful ones. I could enable DNSSEC but not DANE. It seems we need to switch our web hosting provider. Can you recommend one for static web site hosting including a DNS service- or do we need to setup one for our own? Do you have recommendations? We are very open to switch away from CloudFlare.to anything ranging from self-hosted to cloud-driven.
DNSSEC seems to be a useful thing. Source (German): Slide 30 of https://www.fefe.de/dns/dns.pdf (year 2001 ). I enabled it using CloudFlare’s functionality.
DANE (“DNS-based Authentication of Named Entities”). This is a hard one. Howto at How to use DANE/TLSA | Weberblog.net. If I got it right, at each change of the certificate by GitHub, we need to update the DNS records.
uber.space does not support DANE: https://twitter.com/kornybrot/status/465941774918508544
Background: A good slide deck to that seems to be https://tu-dresden.de/ing/informatik/sya/ps/ressourcen/dateien/studium/materialien/mat_resilient_networks/DNSSEC_DANE.pdf?lang=de)
Thank you not only for researching this but also for your strong commitment to enabling it! I didn’t realize you used GitHub Pages, indeed I contacted the GitHub support folks the other day for another project and we’re trying to find a solution.
You should know that I literally only learned what a DNS record was a week ago. In that time frame, I’ve set up my personal domain to have DANE, OPENPGPKEY, and SMIMEA records.
To be honest I didn’t look super hard, but I didn’t find a FLOSS-friendly web host that allowed me control over the TLS certificate I liked, so I opted to self-host. You’re using CloudFlare for DNS? You can stick with them. For DNS, I personally use deSEC, which is a free of charge and non-profit DNS provider. For DNS, they’re kind of like what Let’s Encrypt is for TLS: they’re non-profit and their goal is to advance security and innovative DNS technologies.
Another option is piggybacking off a sister project or umbrella organization. Maybe The Document Foundation, the TeX Users Group, Apache, The Software Freedom Conservancy, or Software in the Public Interest would be willing to take you in, depending which one is in closest alignment with your values? This would have benefits beyond just web hosting, including being a legal and free software advocacy point of contact and allowing you to more easily accept donations, including ones tax deductible for folks in potentially many countries.
That’s a long winded way of saying that this isn’t just about DANE anymore: it’s about who provides infrastructure for, and is an ally of, the JabRef project. If that’s not something you feel is worth pursuing, alrightey; consider maybe paying for hosting. That doesn’t necessary mean getting a VPS and installing an HTTP service yourself; it could be a middle ground between doing that and going with GitHub Pages which lets you focus only on stuff that matters while still keeping the TLS private keys in your hands.
I hope that all made sense. Thanks for making JabRef!
Thanks for your suggestions! We will look into this.
Well, I have some kind of good news for you. While JabRef is not part of any big organization, it is backed by the non-profit organization JabRef e.V. registered in Germany and founded in 2020. At least, donations from German residents are tax-deductible.