DNS-based Authentication of Named Entities

From Glitchdata
Jump to navigation Jump to search

Template:Redirect DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).[1]

It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA). It is updated with operational and deployment guidance in RFC 7671. Application specific usage of DANE is defined in RFC 7672 for SMTP and RFC 7673 for using DANE with Service (SRV) records.


TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work.

Additionally DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain.

DANE solves similar problems as:

- Certificate Transparency - ensuring that rogue CAs cannot issue certificates without the permission of the domain holder without being detected

- DNS Certification Authority Authorization - limiting which CAs can issue certificates for a given domain

However, unlike DANE, those technologies have wide support from browsers.

Email encryption

Until recently, there has been no widely implemented standard for encrypted email transfer.[2] Sending an email is security agnostic; there is no URI scheme to designate secure SMTP.[3] Consequently, most email that is delivered over TLS uses only opportunistic encryption.[4] Since DNSSEC provides authenticated denial of existence (allows a resolver to validate that a certain domain name does not exist), DANE enables an incremental transition to verified, encrypted SMTP without any other external mechanisms, as described by RFC 7672. A DANE record indicates that the sender must use TLS.[3]

Additionally, a draft exists for applying DANE to S/MIME,[5] and RFC 7929 standardises bindings for OpenPGP.[6]



  • Google Chrome does not support DANE, since Google Chrome wishes to eliminate the use of 1024-bit RSA within the browser[7] (DNSSEC previously used a 1024-bit RSA signed root,[8] and many zones are still signed with 1024-bit RSA). According to Adam Langley the code was written[9] and, although it is not in Chrome today,[10] it remains available in add-on form.[11][12]
  • Mozilla Firefox has support via an add-on.[13] Bloodhound is an adapted Firefox with DNSSEC validation and DANE-support built in [14]
  • GNU Privacy Guard Allows fetching keys via OpenPGP DANE (--auto-key-locate). New option—print-dane-records. (version 2.1.9)[15]





  • RFC 6394 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
  • RFC 6698 The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
  • RFC 7218 Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)
  • RFC 7671 The DNS-Based Authentication of Named Entities (DANE) Protocol: Updates and Operational Guidance
  • RFC 7672 SMTP Security via Opportunistic DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)
  • RFC 7673 Using DNS-Based Authentication of Named Entities (DANE) TLSA Records with SRV Records
  • RFC 7929 DNS-Based Authentication of Named Entities (DANE) Bindings for OpenPGP

See also



External links


  1. "DANE: Taking TLS Authentication to the Next Level Using DNSSEC". ISOC. http://www.internetsociety.org/articles/dane-taking-tls-authentication-next-level-using-dnssec.
  2. "Postfix TLS Support - Secure server certificate verification". Postfix.org. http://www.postfix.org/TLS_README.html#client_tls_secure. Retrieved 2015-12-30.
  3. 3.0 3.1 Template:Cite conference
  4. Filippo Valsorda (2015-03-31). "The sad state of SMTP encryption". https://blog.filippo.io/the-sad-state-of-smtp-encryption/. Retrieved 2015-12-30.
  5. Template:Cite IETF
  6. Template:Cite IETF
  7. Langley, Adam (2015-01-17). "ImperialViolet - Why not DANE in browsers" (in en). https://www.imperialviolet.org/2015/01/17/notdane.html.
  8. Duane Wessels, Verisign (2016-05-16). "Increasing the Strength Zone Signing Key for the Root Zone". Verisign.com. https://blog.verisign.com/security/increasing-the-strength-of-the-zone-signing-key-for-the-root-zone/. Retrieved 2016-12-29.
  9. Adam Langley (2012-10-20). "DANE stapled certificates". ImperialViolet. https://www.imperialviolet.org/2012/10/20/dane-stapled-certificates.html. Retrieved 2014-04-16.
  10. Adam Langley (2011-06-16). "DNSSEC authenticated HTTPS in Chrome". ImperialViolet. https://www.imperialviolet.org/2011/06/16/dnssecchrome.html. Retrieved 2014-04-16.
  11. How To Add DNSSEC Support To Google Chrome
  12. DNSSEC Validator - Chrome add-on
  13. "DNSSEC/TLSA Validator". https://www.dnssec-validator.cz/.
  14. "Bloudhound-browser". https://www.dnssec-tools.org/bloodhound/bloodhound.html.
  15. "GnuPG 2.1.9 released". gnupg.org. https://lists.gnupg.org/pipermail/gnupg-announce/2015q4/000380.html. Retrieved 2015-10-10.
  16. "Postfix TLS Support - DANE". Postfix.org. http://www.postfix.org/TLS_README.html#client_tls_dane. Retrieved 2014-04-16.
  17. Jakob Schlyter, Kirei AB. "DANE". RTR-GmbH. https://www.rtr.at/de/inf/E_Mail_Sicherheit05112015/Vortrag_DANE_20151105.pdf. Retrieved 2015-12-17.
  18. "Halon DANE support". Halon Security AB. http://wiki.halon.io/DANE. Retrieved 2015-12-17.
  19. Andrew Conway. "DANE and Email Security". Cloudmark, Inc.. https://blog.cloudmark.com/2017/03/27/dane-and-email-security/. Retrieved 2017-03-31.
  20. posteo.de. "Posteo unterstützt DANE/TLSA". https://posteo.de/blog/posteo-unterst%C3%BCtzt-danetlsa.
  21. mailbox.org. "DANE und DNSsec für sicheren E-Mail-Versand bei mailbox.org". Archived from the original on 2014-08-21. https://web.archive.org/web/20140821082629/https://mailbox.org/dane-und-dnssec-fuer-sicheren-e-mail-versand-bei-mailbox-org/.
  22. dotplex.de. "Secure Hosting mit DANE/TLSA". https://secure.dotplex.de/webhosting/secure-hosting.
  23. mail.de. "mail.de unterstützt DANE/TLSA - Kein Beitritt in Verbund "E-Mail made in Germany"". https://mail.de/unternehmen/presse/2014-06-19-mailde-unterstuetzt-dane-tlsa.
  24. [citation needed]
  25. Richard Levitte (2016-01-07). "DANE CHANGES". https://github.com/openssl/openssl/commit/59fd40d4e5030a7257edd11d758eab1dcebb3787. Retrieved 2016-01-13.
  26. "Verifying a certificate using DANE (DNSSEC)". Gnu.org. http://www.gnutls.org/manual/html_node/Verifying-a-certificate-using-DANE.html.
  27. [citation needed]
  28. [citation needed]
  29. [citation needed]