What is DANE?
The abbreviation DANE stands for DNS-based Authentication of Named Entities. It is a procedure specified in various RFCs (Request for Comments) for verifying server certificates using the Domain Name System. The relevant RFCs are RFC 6394, RFC 6698, RFC 7218, RFC 7671, RFC 7672 and RFC 7673.
DANE makes it possible to secure the traffic to be encrypted via TLS (Transport Layer Security) and certificates by no longer making the verification of the certificates depends on the trustworthiness of a certificate authority (CA). This increases security because certificates cannot be replaced unnoticed.
DANE is used for encrypted access to websites via HTTPS (Hypertext Transfer Protocol Secure) or the encrypted exchange of e-mails via SMTP (Simple Mail Transfer Protocol). From a technical perspective, DNS-based Authentication of Named Entities links X.509 certificates with additional entries in the Domain Name System. DNSSEC is used to secure DNS communication.
DANE can also be used to issue certificates itself without involving a CA. The primary goal of DANE is to check whether a server’s certificate matches the desired domain. Various browsers such as Firefox or Google Chrome support the procedure via add-ons. In addition, hosting providers offer compatible server and domain offers. A prerequisite for this is certain configuration options of the own DNS zone.
What is the motivation for DANE?
Transport Layer Security (TLS), also known by its predecessor Secure Sockets Layer (SSL), is the standard procedure for encrypting data transported on the Internet. Both the encrypted retrieval of web pages via HTTPS and the encrypted exchange of e-mails are based on TLS. TLS uses certificates to confirm the authenticity of the servers.
For this purpose, clients check whether the contacted domain matches the entry in the server certificate. In addition, it must be checked whether the certificate was issued by a trusted CA. The browser uses a list to decide whether a CA is trustworthy. In the past, there have been repeated problems with CAs, and attackers have been able to issue certificates to themselves without authorization. Typical problems with CAs and certificates are:
- Insufficient verification of the identity of certificate applicants by the CA
- Stolen certificates that can be used to certify arbitrary certificates in the CA’s name
- Problems with automated certificate processes of a CA
DANE allows CA-independent verification of certificates directly with the owner of a domain and is no longer dependent on the trustworthiness of a CA.
How does DNS-based Authentication of Named Entities work?
DANE works with so-called TLSA records in the DNS zone. The TLSA record contains information about the certificate, such as a unique fingerprint in the form of a hash value. The manipulation of the TLSA record can be excluded because only the domain owner is authorized to manage the records.
Among other things, a TLSA entry also signals the willingness to accept an encrypted connection under the domain. If a client wants to check a certificate, it no longer contacts the CA but queries the TLSA record of the domain with the hash value of the certificate. The exchange of DNS information is secured with DNSSEC. By comparing the fingerprint received with a hash value calculated with the public key itself, the authenticity of the server can be determined. The TLS-encrypted connection can then be established.