DANE

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

One option to DNS and TLS is DANE DNS-Based Authentication of Named Entities

Context

1. **DNSSEC**: DANE relies on DNSSEC (Domain Name System Security Extensions), which creates a cryptographically-signed trust hierarchy for domain names. This hierarchy ensures that DNS responses are validated and secure.

2. **Self-Signed Certificates**: With DANE, domain owners can create their own TLS (SSL) certificates for their domains. These self-signed certificates are inserted into the DNS hierarchy of trusted keys. Essentially, the domain owner has full control over certificate issuance.

3. **Revocation**: Revoking a certificate is simpler with DANE. If needed, the domain owner can remove the key from DNS, effectively invalidating the certificate.

Only a small percentage of domains are DNSSEC-signed, and even fewer publish TLSA records (required for DANE). Additionally, client software support for DANE varies. Chrome, for instance, recently added support for it¹².

Source: Conversation with Copilot, 7/12/2024

(1) CAA Records: An Alternative to DANE for Protecting SSL ... - DomainTools. https://www.domaintools.com/resources/blog/caa-records-an-alternative-to-dane-for-protecting-ssl-tls-certificate-users/.
(2) How does the DANE protocol make Certificate Authorities obsolete?. https://security.stackexchange.com/questions/151960/how-does-the-dane-protocol-make-certificate-authorities-obsolete.
(3) What alternatives are there to the existing Certificate Authority .... https://security.stackexchange.com/questions/23648/what-alternatives-are-there-to-the-existing-certificate-authority-system-for-ssl.

Problems

While no major browsers natively support DANE yet, some browsers may offer support through plugins or extensions. The same applies to other software, such as email clients1. If you’re interested in experimenting with DANE, you can explore projects like Let’s DANE, which enables DANE usage with self-signed certificates.[1] However, keep in mind that DANE has essentially no deployment on the web, and no browser currently supports it in either the main DNSSEC or the TLS extension mode.

Learn more on infoblox.com

Solutions

  • See wiki page on OpenID 2.0 for an example of a standard that support personal web sites.
  • As of June 27, 2024, Google Chrome does not support DNS-based Authentication of Named Entities (DANE) by default. Google Chrome doesn't support DANE because it wants to avoid using 1024-bit RSA within the browser. However, DANE is available as a browser add-on for Chrome. You can search for "DANE plugin chrome" to find the appropriate add-on for your browser. For example, CZ.NIC Labs has released a "DNSSEC Validator" extension for Chrome that's similar to the existing add-on for Firefox. You can find it in the Chrome webstore.

References

  1. https://github.com/buffrr/letsdane