LLMpediaThe first transparent, open encyclopedia generated by LLMs

DANE

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Barranquilla Hop 4
Expansion Funnel Raw 109 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted109
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
DANE
NameDANE
TypeTechnical Standard
Established2012
OwnerInternet Engineering Task Force

DANE

DANE is a protocol that enables cryptographic binding between Transport Layer Security certificates and Domain Name System records, designed to enhance trust for secure communications among entities such as Mozilla Foundation, Google LLC, Microsoft Corporation, Internet Society, and Internet Engineering Task Force. It provides a means for administrators and services like Cloudflare, Amazon Web Services, Akamai Technologies, and Fastly to assert certificate usage through DNSSEC-signed records, complementing public certificate authorities such as Let's Encrypt, DigiCert, Entrust, and GlobalSign. Proposals and implementations have been discussed in venues including IETF RFC 6698, IETF RFC 7671, and working groups like IETF DANE.

Overview

DANE introduces DNS-based Authentication of Named Entities records that allow a domain owner to publish TLSA records in DNS secured by DNSSEC to specify how clients should verify TLS credentials presented by servers such as those operated by Facebook, Twitter, Dropbox, GitHub, and LinkedIn. The mechanism ties X.509 certificates, raw public keys, or CA constraints to a domain name; clients that validate DNSSEC signatures can then enforce those constraints when interacting with services like Skype, Slack Technologies, Salesforce, and Box, Inc.. DANE targets application protocols including SMTP, HTTPS, XMPP, and SIP and complements PKI frameworks such as those governed by CA/Browser Forum, WebTrust, and national authorities like GOV.UK.

Technical Details

DANE defines a TLSA record format and matching rules that reference certificate usage, selector, matching type, and certificate association data; these parameters determine whether a certificate presented by a server such as Nginx, Apache HTTP Server, HAProxy, or Envoy is acceptable according to domain policy. DNSSEC provides data origin authentication and integrity via mechanisms like DNSKEY, RRSIG, NSEC3, and DS records anchored in trust chains rooted in registries and operators such as ICANN, VeriSign, Regional Internet Registries, and national registries. Clients perform DNS lookups through resolvers like Unbound, BIND, PowerDNS, and recursive services from Quad9 or Google Public DNS and check cryptographic signatures produced by algorithms standardized by IETF CFRG and groups such as NIST and IANA. DANE accommodates multiple certificate usage modes: a PKIX-TA mode that constrains traditional CA trust similar to models used by Symantec and Comodo, PKIX-EE that pins end-entity certificates comparable to practices at Twitter and Cloudflare, and Raw Public Key modes for lightweight stacks used in IoT platforms like ARM mbed and Eclipse IoT.

Deployment and Use Cases

Operators of email services including Postfix, Exim, Microsoft Exchange Server, and Zimbra have piloted DANE to secure SMTP transport and reduce reliance on opportunistic TLS mechanisms employed by providers such as Gmail and Yahoo! Mail. Web hosting providers and CDNs including WordPress.com, Squarespace, Wix.com, and Netlify can publish TLSA records for authoritative control over certificates issued by authorities like Let's Encrypt when combined with DNS hosting from Cloudflare or DigitalOcean. Enterprises and financial institutions such as JPMorgan Chase, Goldman Sachs, Deutsche Bank, and HSBC may apply DANE in internal PKI scenarios for authentication among services and APIs implemented with Kubernetes, Istio, OpenSSL, and BoringSSL. In voice and messaging, operators of VoIP and SIP infrastructures including vendors like Avaya, Cisco Systems, and Polycom can use DANE for secure session initiation and media encryption negotiation.

Security and Privacy Considerations

DANE’s security depends on correctly deployed DNSSEC chains and proper key management by registrars and DNS operators; compromises at registration authorities like VeriSign or registrars accredited by ICANN can undermine assurances. Threat models consider DNS cache poisoning mitigations handled by resolvers such as Unbound and signature rollovers coordinated via algorithms recommended by IETF and NIST. Privacy implications arise because TLSA records published in public DNS reveal certificate pinning choices that can be observed by actors including network operators, content delivery networks like Akamai Technologies, and intelligence services such as NSA or GCHQ; privacy-preserving resolver designs like DNS-over-HTTPS and DNS-over-TLS, implemented by Mozilla Foundation and Google LLC, can mitigate on-path observation. Interactions with certificate transparency logs maintained by organizations like CT Log Operators and policies from CA/Browser Forum influence detection of misissuance, while DANE reduces dependence on global CA ecosystems exemplified by Symantec controversies.

History and Development

DANE emerged from IETF work in the early 2010s with initial specifications published as IETF RFC 6698 and subsequent updates and operational guidance in later RFCs and drafts circulated within working groups such as IETF DNSOP and IETF TLS WG. Academic and industry research from institutions like University of California, Berkeley, Massachusetts Institute of Technology, Stanford University, ETH Zurich, and companies including Akamai Technologies and Cloudflare evaluated deployment hurdles and threat models. Pilot deployments and experiments were carried out by operators such as SIDN and RIPE NCC and showcased in conference venues like USENIX, IETF Meetings, and Black Hat. Adoption discussions tied into debates about certificate pinning popularized by Google’s Chrome and certificate transparency initiatives led by Google LLC.

Adoption and Compatibility

Adoption has been uneven: email operators and specialized services have adopted DANE in conjunction with DNSSEC signings by registrars like Nominet and registries connected to IANA, whereas mainstream web browsers such as Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge have historically not integrated DANE enforcement, preferring CA-based mechanisms and certificate transparency. Interoperability with server software—Postfix, Exim, Nginx, Apache HTTP Server—and DNS software—BIND, Unbound, Knot DNS—is available but depends on ecosystem support from providers like Cloudflare, Amazon Route 53, and registrar services offered by GoDaddy. International adoption involves national CERTs and authorities such as CERT-EU, NCSC, and regional ccTLD managers who influence deployment through policy and tooling.

Category:Internet standards