DANE

DANE (DNS-based Authentication of Named Entities) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC).

Warning: This is not a trivial article. Be aware that you make sure you know what you are doing. Read Common Mistakes before going any further.

Resource Record

TLSA resource record is an own type of DNS record. It consists of port number and protocol of the service secured by it. An example record for port 25 over tcp could look like _25._tcp.example.com IN TLSA 3 0 1 $DATA. The TLSA parameters 3 0 1 are explaining the data following it. The first number is the Certificate Usage Field, the second is the Selector Field and the third is named Matching Type Field.

Certificate Usage Field
ValueNameDescription
0PKIX trust anchorHash contains a public CA from the x509 tree by which your cert has to be signed
1PKIX end entityHash contains your cert which also has to pass x509 validation
2DANE trust anchorHash contains a private CA (unknown to the x509 tree) by which your cert has to be signed
3DANE end entityHash contains your cert which is not matched against any other validation
Note: Certificate Usage 0 and 1 are not allowed for use with email servers (port 25). See RFC 7672 3.1.3 for details.
Selector Field
ValueNameDescription
0certDATA is based on the full cert
1SPKIDATA is based on public key only
Matching Type Field
ValueNameDescription
0FullDATA is the full cert or SPKI
1sha256DATA is the sha256 hash of the cert or SPKI
2sha512DATA is the sha512 hash of the cert or SPKI

The RR can also easily be generated with ldns-dane from ldns.

DANE supporting software

gollark: Yes, Elm bad?
gollark: Oh, it broke in some incomprehensible way during `npm install`.
gollark: Thus, I am using Apioprotocol ̛ĸ-84 instead of ¢-93.
gollark: Yes.
gollark: I use CC: Tweaked, which is maintained, that's NOT THE APIOPOINT.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.