DANE
Full Title or Meme
One option to DNS and TLS is DANE DNS-Based Authentication of Named Entities
Context
1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.
2. **Self-Signed Certificates**: With DANE, domain owners can create their own SSL/TLS certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.
3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.
However, it's worth noting that DANE adoption has been limited so far. Only a small percentage of domains are DNSSEC-signed, and even fewer publish TLSA records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².
Feel free to explore DANE further, and let me know if you have any other questions! 😊
Source: Conversation with Copilot, 7/12/2024
(1) CAA Records: An Alternative to DANE for Protecting SSL ... - DomainTools. https://www.domaintools.com/resources/blog/caa-records-an-alternative-to-dane-for-protecting-ssl-tls-certificate-users/. (2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete. (3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.
