DNS-based Authentication of Named Entities
DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).
TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs DNS records to be signed with DNSSEC.
Additionally DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain.
- Google Chrome does not support DANE. According to Adam Langley, the code was written, but it is not in Chrome today. However it is available using an add-on.
- Mozilla Firefox has support via an add-on
- RFC 6394 Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
- RFC 6698 The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
- RFC 7218 Adding Acronyms to Simplify Conversations about DNS-Based Authentication of Named Entities (DANE)
- "DANE: Taking TLS Authentication to the Next Level Using DNSSEC". ISOC.
- Adam Langley (2012-10-20). "DANE stapled certificates". ImperialViolet. Retrieved 2014-04-16.
- Adam Langley (2011-06-16). "DNSSEC authenticated HTTPS in Chrome". ImperialViolet. Retrieved 2014-04-16.
- How To Add DNSSEC Support To Google Chrome
- DNSSEC Validator - Chrome add-on
- "DNSSEC/TLSA Validator".
- "[irssi] Commit d826896f74925f2e77536d69a3d1a4b86b0cec61". github.com. Retrieved 2014-07-18.
- "Postfix TLS Support". Postfix.org. Retrieved 2014-04-16.
- posteo.de. "Posteo unterstützt DANE/TLSA" (in German). Retrieved 2014-05-15.
- mailbox.org. "DANE und DNSsec für sicheren E-Mail-Versand bei mailbox.org" (in German). Retrieved 2014-05-29.
- dotplex.de. "Secure Hosting mit DANE/TLSA" (in German). Retrieved 2014-06-21.
- mail.de. "mail.de unterstützt DANE/TLSA - Kein Beitritt in Verbund "E-Mail made in Germany"" (in German). Retrieved 2014-06-22.
- tutanota.de. "DANE Everywhere?! Let’s Make the Internet a Private Place Again." (in German). Retrieved 2015-01-13.
- "Verifying a certificate using DANE (DNSSEC)". Gnu.org.
- Bug #77327 for Net-DNS: DANE TLSA support, rt.cpan.org
- Net_DNS2 v1.2.5 – DANE TLSA Support
- List of DANE test sites
- Verisign Labs DANE Demonstration
- Online tool to check domains for DNSSEC and DANE support