DANE - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

This topic provides conceptual information on DANE and TLSA records, including the tasks for configuring TLSA records in Address Manager.

DNS-based Authentication of Named Entities (DANE) is a protocol to allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using DNSSEC. DANE introduces a TLSA record that provides a more secure way to authenticate SSL/TLS certificates.

TLS, while providing authentication and encryption, only works when the certificate is properly anchored. Trust anchors, a root certificate from the Certificate Authority (CA), can be spoofed. DANE solves this by using a TLSA record that's verified by DNSSEC to authenticate that a certificate is valid. A TLSA record can also specify that a certificate or CA can be authenticated in DNS itself.

DANE supports HTTPS, SMTP, XMPP, and SIP protocols.
  • DANE supports both certificates and raw keys
  • The keys (raw or imbedded in certificates) can be full keys or a hashes of keys
  • DANE provides end-to-end SMTP security for email communication
Note: DANE was first proposed in RFC 6698 then updated with operational and deployment guidance in RFC 7671. For details, refer to DNS/DHCP Server RFC compliance.