Main Hero

DANE

DANE, or DNS-based Authentication of Named Entities, is a security protocol that uses DNSSEC to associate domain names with cryptographic certificates. It allows domain owners to specify which TLS certificates are valid for their services, removing reliance on traditional certificate authorities alone. By publishing TLSA records in DNS, DANE enables clients to verify that a server’s certificate is explicitly authorised by the domain itself.

In email systems, DANE is primarily used to secure SMTP connections between mail servers. It ensures that when a sending server connects to a receiving server using TLS, the certificate presented can be validated against DNS records secured by DNSSEC. This prevents man in the middle attacks and certificate spoofing, which can occur when relying solely on public certificate authorities.

DANE strengthens trust in encrypted communications by shifting validation control to the domain owner. It is particularly valuable in high security environments where assurance of server identity is critical.

Advanced

DANE relies on DNSSEC to provide authenticity and integrity of DNS records. Without DNSSEC, TLSA records cannot be trusted. TLSA records define how a certificate should be matched, including whether the full certificate or just the public key is validated. These records are published under a specific naming convention such as _port._protocol.domain.

In SMTP, DANE operates in conjunction with opportunistic TLS. When a sending server supports DANE, it queries for TLSA records associated with the recipient’s mail server. If valid records are found, the server enforces strict certificate validation based on those records. If validation fails, the message is not delivered, ensuring secure transport.

Deployment requires coordination across DNS, certificate management, and mail server configuration. Adoption has been slower compared to other standards due to DNSSEC requirements and operational complexity. However, it provides stronger guarantees than mechanisms that rely solely on certificate authorities.

Relevance

  • Enhances TLS security by binding certificates to DNS
  • Reduces reliance on third party certificate authorities
  • Protects against man in the middle and spoofing attacks
  • Strengthens secure email delivery between servers

Applications

  • Securing SMTP connections with verified TLS certificates
  • Enforcing certificate validation using DNSSEC
  • Protecting sensitive communications across infrastructure
  • Supporting high assurance security environments

Metrics

  • TLSA record validation success rates
  • DNSSEC integrity and validation status
  • Secure email delivery success versus failure rates
  • Certificate mismatch or validation error frequency

Issues

  • Lack of DNSSEC preventing DANE implementation
  • Complex configuration across DNS and mail systems
  • Limited adoption reducing universal compatibility
  • Misconfigured TLSA records causing delivery failures

Example

A domain enables DNSSEC and publishes TLSA records for its mail servers. When another mail server attempts to deliver email, it validates the TLS certificate against the TLSA record. If the certificate matches, the connection proceeds securely. If not, the delivery is halted, preventing potential interception or spoofing.