Difference between revisions of "DANE"

From MgmtWiki
Jump to: navigation, search
(Full Title or Meme)
m
 
(6 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.
 
1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.
  
2. **Self-Signed Certificates**: With DANE, domain owners can create their own SSL/TLS certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.
+
2. **Self-Signed Certificates**: With DANE, domain owners can create their own [[TLS]] (SSL) certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.
  
 
3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.
 
3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.
  
However, it's worth noting that DANE adoption has been limited so far. Only a small percentage of domains are DNSSEC-signed, and even fewer publish TLSA records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².
+
Only a small percentage of domains are DNSSEC-signed, and even fewer publish [[TLSA]] records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².
 
 
Feel free to explore DANE further, and let me know if you have any other questions! 😊
 
  
 
Source: Conversation with Copilot, 7/12/2024
 
Source: Conversation with Copilot, 7/12/2024
Line 17: Line 15:
 
  (2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete.
 
  (2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete.
 
  (3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.
 
  (3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.
 +
 +
==Problems==
 +
While no major browsers natively support [[DANE]] yet, some browsers may offer support through plugins or extensions. The same applies to other software, such as email clients1. If you’re interested in experimenting with DANE, you can explore projects like Let’s DANE, which enables DANE usage with self-signed certificates.<ref>https://github.com/buffrr/letsdane</ref> However, keep in mind that DANE has essentially no deployment on the web, and no browser currently supports it in either the main DNSSEC or the [[TLS]] extension mode.
 +
 +
Learn more on infoblox.com
 +
==Solutions==
 +
*See wiki page on [[OpenID 2.0]] for an example of a standard that support personal web sites.
 +
* As of June 27, 2024, Google Chrome does not support DNS-based Authentication of Named Entities (DANE) by default. Google Chrome doesn't support DANE because it wants to avoid using 1024-bit RSA within the browser. However, DANE is available as a browser add-on for Chrome. You can search for "DANE plugin chrome" to find the appropriate add-on for your browser. For example, CZ.NIC Labs has released a "DNSSEC Validator" extension for Chrome that's similar to the existing add-on for Firefox. You can find it in the Chrome webstore.
  
 
==References==
 
==References==
  
 
[[Category: Networking]]
 
[[Category: Networking]]
 +
[[Category: Identifier]]

Latest revision as of 15:00, 20 September 2024

Full Title or Meme

One option to DNS and TLS is DANE DNS-Based Authentication of Named Entities

Context

1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.

2. **Self-Signed Certificates**: With DANE, domain owners can create their own TLS (SSL) certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.

3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.

Only a small percentage of domains are DNSSEC-signed, and even fewer publish TLSA records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².

Source: Conversation with Copilot, 7/12/2024

(1) CAA Records: An Alternative to DANE for Protecting SSL ... - DomainTools. https://www.domaintools.com/resources/blog/caa-records-an-alternative-to-dane-for-protecting-ssl-tls-certificate-users/.
(2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete.
(3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.

Problems

While no major browsers natively support DANE yet, some browsers may offer support through plugins or extensions. The same applies to other software, such as email clients1. If you’re interested in experimenting with DANE, you can explore projects like Let’s DANE, which enables DANE usage with self-signed certificates.[1] However, keep in mind that DANE has essentially no deployment on the web, and no browser currently supports it in either the main DNSSEC or the TLS extension mode.

Learn more on infoblox.com

Solutions

  • See wiki page on OpenID 2.0 for an example of a standard that support personal web sites.
  • As of June 27, 2024, Google Chrome does not support DNS-based Authentication of Named Entities (DANE) by default. Google Chrome doesn't support DANE because it wants to avoid using 1024-bit RSA within the browser. However, DANE is available as a browser add-on for Chrome. You can search for "DANE plugin chrome" to find the appropriate add-on for your browser. For example, CZ.NIC Labs has released a "DNSSEC Validator" extension for Chrome that's similar to the existing add-on for Firefox. You can find it in the Chrome webstore.

References

  1. https://github.com/buffrr/letsdane