DANE - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

This topic provides conceptual information on DANE and TLSA records, including the tasks for configuring TLSA records in Address Manager.

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using DNSSEC. DANE introduces a TLSA record that provides a more secure way to authenticate SSL/TLS certificates.

TLS, while providing authentication and encryption, only works when the certificate is properly anchored. Trust anchors, a root certificate from the Certificate Authority (CA), can be spoofed. DANE solves this by using a TLSA record that's verified by DNSSEC to authenticate that a certificate is valid. A TLSA record can also specify that a certificate or CA can be authenticated in DNS itself.

DANE supports HTTPS, SMTP, XMPP, and SIP protocols.
  • DANE supports both certificates and raw keys
  • The keys (raw or imbedded in certificates) can be full keys or a hashes of keys
  • DANE provides end-to-end SMTP security for email communication
Note: DANE was first proposed in RFC 6698 then updated with operational and deployment guidance in RFC 7671. For details, refer to DNS/DHCP Server RFC compliance.