Questions tagged [dane]
12 questions
5
votes
2 answers
With DNSSEC, is there any benefit in DANE for a CA- issued Cert?
I just deployed DNSSEC at val-id.com and getvalid.com
Since DNSSEC is a requirement of DANE, and I have a CA-based certificate, can I show my support for DANE-based deployments by publishing my CA-based cert into DNS?
My concern is consistency in…
makerofthings7
- 50,090
- 54
- 250
- 536
4
votes
1 answer
Security of DNSSEC without NSEC
DNSSEC uses NSEC (or NSEC3) records to indicate that requested domain name does not exist. NSEC has been criticized because it allows zone enumeration.
What breaks, if dnssec is implemented without nsec records, that is, what if there is no…
yyy
- 159
- 1
- 5
4
votes
2 answers
What is the purpose of DNS-based Authentication of Named Entities (DANE) and how does it relate to DNSSEC?
What is the purpose of DNS-based Authentication of Named Entities (DANE)? And how does it relate to the Domain Name System Security Extensions (DNSSEC)?
Secondly, how can I verify that DANE is configured correctly? Either with a local tool or online…
Bob Ortiz
- 6,234
- 8
- 43
- 90
3
votes
1 answer
Email, Certificates and DANE
Does DANE offer the ability to provide certificates for services? Or is it just hosts?
How does one specify a mail server with DANE? If my email is jd@foo.com but mail.bar.com is the email server, then do I publish mail.bar.com for the foo.com…
user29925
3
votes
2 answers
Is it okay to publish a TLSA records for non-DNSSEC CNAME'ed services?
In the scenario with two domain names
example.com secured with DNSSEC
example.org not secured with DNSSEC
and a mail service running at smtp.example.org:
I want to secure the mail service using TLSA/DANE. Is this somehow possible and can I expect…
Dons
- 33
- 5
3
votes
1 answer
Why is the DANE protocol depending on DNSSEC?
Why is the DNS-based Authentication of Named Entities (DANE) protocol depending on Domain Name System Security Extensions (DNSSEC)?
Bob Ortiz
- 6,234
- 8
- 43
- 90
2
votes
1 answer
SSH like promiscuity for HTTPS
I want to build something, but I haven't seen it before. Maybe you have?
I'd like to build a HTML5 app, served to modern browsers and phones from a microcomputer (e.g. BBB). The microcomputer would be an open Access Point (not necessarily…
Michael Cole
- 288
- 1
- 8
1
vote
2 answers
Use DANE to authentify mail sender
I have my own virtual DNS infrastructure, from the root to the mail server mail.example.com. Everything is signed using DNSSEC.
client1@example.com can send email to client2@example.com, digitally signed with his certificate. As both the clients…
TomatoGuy
- 11
- 1
1
vote
1 answer
Non-TLS-authoritative ZSKs?
Under DANE, the digital chain of trust goes (roughly):
[Public visibility of the ceremony for the generation of the]
ICANN Root Zone Key, which
something something involving the TLD authorities and registrars, which culminates in validation of…
JamesTheAwesomeDude
- 581
- 4
- 15
1
vote
2 answers
Is DANE the DNS-variant of HTTP Public Key Pinning (HPKP)?
I’m trying to understand DANE and TLSA records more accurately. Is it fair to call DANE the DNS-variant of (or at least a very similar technique to) HTTP Public Key Pinning (HPKP)?
Because with HPKP a SSL certificate can be pinned using a HTTP…
Bob Ortiz
- 6,234
- 8
- 43
- 90
1
vote
1 answer
How does the DANE protocol make Certificate Authorities obsolete?
How does the DNS-based Authentication of Named Entities (DANE) protocol make Certificate Authorities (CA) obsolete?
In other words: How is it technically possible that DANE does not need Certificate Authorities?
Bob Ortiz
- 6,234
- 8
- 43
- 90
0
votes
1 answer
Would DNSSec and DANE be more secure if the same key was published to different TLDs?
Assuming that it's tough to get many government owned TLDs to cooperate to spoof DANE or DNSSec, would it be wise to publish the same certificate (different SAN names) to various TLDs?
For…
makerofthings7
- 50,090
- 54
- 250
- 536