What is dane?

DANE (DNS-based Authentication of Named Entities) is a security protocol that allows you to associate TLS certificates with domain names using the Domain Name System (DNS). This mechanism allows applications to verify the authenticity of TLS certificates without relying on Certificate Authorities (CAs).

Here are some key aspects of DANE:

  • Purpose: DANE provides a way to securely associate TLS certificates with domain names, enabling authentication of servers and services. More info here: https://www.wikiwhat.page/kavramlar/Purpose

  • How it Works: DANE uses DNSSEC (DNS Security Extensions) to protect the integrity of DNS records. Specifically, it utilizes TLSA records to store certificate information. More info here: https://www.wikiwhat.page/kavramlar/How%20it%20Works

  • TLSA Records: These records contain information about the certificate, such as the certificate usage, selector, and matching type. The TLSA record is associated with a specific port and protocol (e.g., _443._tcp.example.com). More info here: https://www.wikiwhat.page/kavramlar/TLSA%20Records

  • Certificate Validation: When a client connects to a server, it retrieves the TLSA record for the server's domain. The client then validates the certificate presented by the server against the information in the TLSA record. More info here: https://www.wikiwhat.page/kavramlar/Certificate%20Validation

  • Benefits: DANE offers several benefits, including reduced reliance on CAs, increased security against certain types of attacks (e.g., CA compromise), and the ability to use self-signed certificates securely. More info here: https://www.wikiwhat.page/kavramlar/Benefits

  • Use Cases: DANE can be used for various applications, such as securing email servers (SMTP with STARTTLS), web servers (HTTPS), and other TLS-enabled services. More info here: https://www.wikiwhat.page/kavramlar/Use%20Cases

  • Relationship with DNSSEC: DANE critically depends on DNSSEC. DNSSEC provides the necessary security to ensure that the TLSA records retrieved from DNS are authentic and haven't been tampered with. More info here: https://www.wikiwhat.page/kavramlar/Relationship%20with%20DNSSEC