TLSA

From MgmtWiki
Jump to: navigation, search

Full Title or Meme

The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS)

Context

DNS-based Authentication of Named Entities (DANE) uses TLSA records to enhance the security of TLS connections by associating TLS certificates with domain names. Here are some key points about the current status and usage of DNS TLSA:
TLSA Records: These records are used to store information about TLS certificates in DNS, which can be looked up by anyone. They are configured by the domain owner and are used to signal TLS support and publish the DANE policy for the domain1.
DANE for SMTP: DANE is particularly useful for securing email communications. It helps authenticate mail servers and protect against Man-in-the-Middle (MITM) attacks. If a TLSA record is present and validated using DNSSEC, it ensures that the mail server’s TLS certificate matches the data in the TLSA record2.
DNSSEC Dependency: TLSA records require DNSSEC to be enabled for the domain. DNSSEC ensures that DNS records are authentic and haven’t been tampered with3.
Lookup Tools: You can check TLSA records using tools like dig on Linux or Mac, or online TLSA lookup tools

[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA", RFC 6698, DOI 10.17487/RFC6698, August 2012, <https://www.rfc-editor.org/rfc/rfc6698>.


References