This topic provides conceptual information on DANE and TLSA records, as well as the tasks for configuring TLSA records in Address Manager.
DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using DNSSEC. DANE introduces a TLSA record that provides a more secure way to authenticate SSL/TLS certificates.
TLS, while providing authentication and encryption, only works when the certificate is properly anchored. Trust anchors, a root certificate from the Certificate Authority (CA), can be spoofed. DANE solves this by using a TLSA record that is verified by DNSSEC to authenticate that a certificate is valid. A TLSA record can also specify that a certificate or CA can be authenticated in DNS itself.
- DANE supports both certificates and raw keys
- The keys (raw or imbedded in certificates) can be full keys or a hashes of keys
- DANE provides end-to-end SMTP security for email communication