DNS-based Authentication of Named Entities

"DANE" redirects here. For the Colombian department of statistics, see National Administrative Department of Statistics.

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).[1]

It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA). It is updated with operational and deployment guidance in RFC 7671. Application specific usage of DANE is defined in RFC 7672 for SMTP and RFC 7673 for using DANE with Service (SRV) records.

Rationale

TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don't own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work.

Additionally DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain.

Email encryption

Until recently, there has been no widely implemented standard for encrypted email transfer.[2] Sending an email is security agnostic; there is no URI scheme to designate secure SMTP.[3] As a result, most email that is delivered over TLS uses only opportunistic encryption.[4] Since DNSSEC provides authenticated denial of existence, DANE enables an incremental transition to verified, encrypted SMTP without any other external mechanisms, as described by RFC 7672. A DANE record indicates that the sender must use TLS.[3]

Additional drafts exist for S/MIME[5] and Pretty Good Privacy (PGP).[6]

Support

Applications

Servers

Services

Libraries

Standards

References

  1. "DANE: Taking TLS Authentication to the Next Level Using DNSSEC". ISOC.
  2. "Postfix TLS Support - Secure server certificate verification". Postfix.org. Retrieved 2015-12-30.
  3. 1 2 Dukhovni; Hardaker (2013-07-28). DANE for SMTP (PDF). IETF 87 Proceedings. IETF.
  4. Filippo Valsorda (2015-03-31). "The sad state of SMTP encryption". Retrieved 2015-12-30.
  5. Using Secure DNS to Associate Certificates with Domain Names For S/MIME. IETF. 2015-08-27. I-D draft-ietf-dane-smime-09. https://tools.ietf.org/html/draft-ietf-dane-smime-09.
  6. Using DANE to Associate OpenPGP public keys with email addresses. IETF. 2015-10-20. I-D draft-ietf-dane-openpgpkey-06. https://tools.ietf.org/html/draft-ietf-dane-openpgpkey-06.
  7. Adam Langley (2012-10-20). "DANE stapled certificates". ImperialViolet. Retrieved 2014-04-16.
  8. Adam Langley (2011-06-16). "DNSSEC authenticated HTTPS in Chrome". ImperialViolet. Retrieved 2014-04-16.
  9. How To Add DNSSEC Support To Google Chrome
  10. DNSSEC Validator - Chrome add-on
  11. "DNSSEC/TLSA Validator".
  12. "[irssi] Commit d826896f74925f2e77536d69a3d1a4b86b0cec61". github.com. Retrieved 2014-07-18.
  13. "GnuPG 2.1.9 released". gnupg.org. Retrieved 2015-10-10.
  14. "Postfix TLS Support - DANE". Postfix.org. Retrieved 2014-04-16.
  15. Jakob Schlyter, Kirei AB. "DANE" (PDF). RTR-GmbH. Retrieved 2015-12-17.
  16. "Halon DANE support". Halon Security AB. Retrieved 2015-12-17.
  17. posteo.de. "Posteo unterstützt DANE/TLSA". Retrieved 2014-05-15.
  18. mailbox.org. "DANE und DNSsec für sicheren E-Mail-Versand bei mailbox.org". Retrieved 2014-05-29.
  19. dotplex.de. "Secure Hosting mit DANE/TLSA". Retrieved 2014-06-21.
  20. mail.de. "mail.de unterstützt DANE/TLSA - Kein Beitritt in Verbund "E-Mail made in Germany"". Retrieved 2014-06-22.
  21. DANE Everywhere?! Let’s Make the Internet a Private Place Again, tutanota.de, retrieved 2015-12-17
  22. Richard Levitte (2016-01-07). "DANE CHANGES". Retrieved 2016-01-13.
  23. "Verifying a certificate using DANE (DNSSEC)". Gnu.org.
  24. Bug #77327 for Net-DNS: DANE TLSA support, rt.cpan.org
  25. Net_DNS2 v1.2.5 – DANE TLSA Support
  26. A C++ library for DANE protocols, focusing on secure email

See also

External links

This article is issued from Wikipedia - version of the Saturday, April 09, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.