Red Sift’s Email Protocol Configuration Guide
Explore our guide

Learn about DANE and DNSSEC

What is DANE?

DNS-Based Authentication of Named Entities or DANE is a way of associating a certificate to a domain name without having to rely on external third parties. DANE provides a secure channel between the sender and recipient, ensuring that the sender is talking to the right recipient while preventing MITM from intercepting or modifying the email in transit.  

Published under RFC 7671, it introduces a new Internet standard for setting up TLS (Transport Layer Security) communication between a client and a server, without having to rely on trusted Certificate Authorities (CAs).

The traditional CA model TLS has depended on allows any of CA to issue a certificate for any domain. DANE does things differently; it relies on the DNSSEC infrastructure (Domain Name System Security Extensions) to bind a domain name to a certificate.

Why was DANE developed?

There are two main reasons:

1) Improper use of trusted third-party CAs 

Attackers can sometimes successfully impersonate a person or service and obtain a rogue certificate. Although this certificate is valid and issued by a trusted third party, it is not designated to the intended person. 

2) Eliminating the possibility of MITM (Man-In-The-Middle) attacks

MITM is when an attacker intercepts the conversation between a client and server by inserting themselves into the middle of the conversation, tricking both parties to think that they are talking to each other. This can lead to TLS session downgrade or cache poisoning. 

Can DANE be used by any application?

As long as the application uses TLS to connect to services identified by domain names, DANE is universal. It is backward compatible, so if DANE is not supported by a mail server, the client can fall back to using STARTTLS or even clear text. It was developed to be deployed gradually while interoperating with the existing email backbone. As DANE adoption grows, it will promote the use of DNSSEC and vice versa. 

What is needed to deploy DANE?

  • Security-aware resolver that can query and validate DNSSEC and TLSA records
  • DNSSEC signed zone and RRsets

How does DANE achieve the above?

DANE makes use of the already existing DNSSEC protocol, to make sure the data it receives is authentic and has not been tampered with. DANE also introduces a new DNS RR type called TLSA which helps to signal to the client that a server supports TLS. 

A TLSA record needs to be set up for each application that makes use of TLS. Each one of those applications will run on different ports and based on the port number, a TLSA record can exist. 

If MTA-STS and DANE serve the same purpose, which protocol should I implement?

The recommendation is to implement both MTA-STS and DANE. DANE is a requirement from many governments, so public agencies in the EU are often required to implement it.

DANE and MTA-STS help only if the sender supports it, however, many senders only support one or the other so implementing both improves security overall.

What is DNSSEC?

The Domain Name System Security Extensions (DNSSEC) is a suite of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on IP networks.

The DNSSEC is a set of extensions that provide DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

Since the original specification of DNS did not include any security details, DNSSEC attempts to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data (such as that created by DNS cache poisoning) all while maintaining backward compatibility.

All answers from DNSSEC-protected zones are digitally signed, verifying their authenticity.

Please note that the initial DNSSEC specification RFC 2535 has become obsolete, due to scalability concerns. DNSSEC-bis is the current protocol. For further information, see: RFC 4033, RFC 4034, and RFC 4035.

LinkedInInstagram