What is the purpose of DNS-based Authentication of Named Entities (DANE)? And how does it relate to the Domain Name System Security Extensions (DNSSEC)?
Secondly, how can I verify that DANE is configured correctly? Either with a local tool or online tool. And are there known Nmap NSE scripts that perform this check?
DANE allows you (as a domain owner) to specify the possible CA's that are allowed to generate a certificate for your domain. This prevents rogue Ca's to issue a certificate (it will be invalidated by a client that uses DANE to validate the certificate).
From Wikipedia:
DANE enables the administrator of a domain name to certify the keys used in that domain's TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work.
Here is an online tool that can validate a DANE implementation: https://dane.sys4.de/common_mistakes
The primary goal of DANE is to allow a DNS provider to provide a certificate for a domain as a DNS record. The work performed by a CA now - specifically, domain validation, i.e. matching a public key to a domain - would be done by a DNS provider instead of a CA.
As DNS records are required to be trusted in this scenario, DNSSEC is a requirement for DANE.
