DANE
Full Title or Meme
One option to DNS and TLS is DANE DNS-Based Authentication of Named Entities
Context
1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.
2. **Self-Signed Certificates**: With DANE, domain owners can create their own SSL/TLS certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.
3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.
Only a small percentage of domains are DNSSEC-signed, and even fewer publish TLSA records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².
Source: Conversation with Copilot, 7/12/2024
(1) CAA Records: An Alternative to DANE for Protecting SSL ... - DomainTools. https://www.domaintools.com/resources/blog/caa-records-an-alternative-to-dane-for-protecting-ssl-tls-certificate-users/. (2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete. (3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.
Problems
While no major browsers natively support DANE yet, some browsers may offer support through plugins or extensions. The same applies to other software, such as email clients1. If you’re interested in experimenting with DANE, you can explore projects like Let’s DANE, which enables DANE usage with self-signed certificates.[1] However, keep in mind that DANE has essentially no deployment on the web, and no browser currently supports it in either the main DNSSEC or the TLS extension mode.
Learn more on infoblox.com
Solutions
- See wiki page on OpenID 2.0 for an example of a standard that support personal web sites.