• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » What is DANE Protocol?

By Abhishek Ghosh September 11, 2016 6:33 am Updated on September 11, 2016

What is DANE Protocol?

Advertisement

Previously we discussed about DNSSEC. DNSSEC is a method of authenticating DNS records that also uses a chain of trust. The trust structure is identical to the DNS hierarchy. But What is DANE Protocol? DANE stands for DNS-based Authentication of Named Entities. DANE Uses the DNS System to Store Fingerprint to Certify Which CA the Domain Uses to Protect From Security Breeches. DANE is a network protocol intended to secure in a way so that the used certificates of domain can not be substituted, thus increasing the safety while transporting encrypted emails and accessing websites. With DANE either the public key or entire certificate may be put in a DNS record which specifies the certificate or public key to be used for connecting to the domain over tcp port 443.

 

What is DANE Protocol : Basics and RFC

 

If a user with a browser as a client wants to establish a secure TLS connection to a web page about https://thecustomizewindows.com and wants to ensure that the responding server is also legitimized to deliver the desired website for this, the client first checks whether that domain name is entered in the certificate provided by the server. TLS sessions require a chain of trust to authenticate the server to the client. That is commonly used method. Trusted root certificates are issued by Certificate Authorities (CA). But it is still not ensured that the certificate came from a trusted certification authority (CA). CAs are considered trustworthy, so the browser automatically uses a list of trusted CAs, which in turn as Trust Anchors for the certificate hierarchy of the client certificate. So, currently this is achieved through a series of PKIX certificates that link the server’s certificate to a trusted root certificate stored by the client. However, many serious incidents gave rise to doubts about the safety of this procedure. The administrator is bypassed to certify CAs certificates for the domain. Currently, no technical mechanism exists that can prevents any authority from signing a certificate for any domain name.

At this point is where DANE came. Clients can ask the DNS Servers which certificates can be trusted. Therefore a new DNS Resource Record named TLSA is defined. This includes a certificate in PKIX format whose fingerprint or public key is used. In this three types of responses are possible:

Advertisement

---

  1. Service Certificate Constraint : The client asked to accept only a defined certificate. The certificate itself needs to check for trustworthiness.
  2. Domain-Issued Certificate: The client is asked to trust the reference in TLSA record certificate. An examination of the trust hierarchy is not performed.
  3. Trust Anchor Assertion: The client is asked to use the validation of the certificate from a defined Trust Anchor. The certificate must be its chain of trust to this purpose and pass the certification test.

Service Certificate constraint entries thus serve to confirm output of public Roots certificates. Domain Issued Certificates give the domain holder the possibility to issue for its own TLS-secured services. Trust Anchor Assertion is finally in self-operated in private certification of the bodies relevant to Trust Anchor.

RFC 6698 defines DANE as a way to authenticate TLS client and server entities without a certificate authority (CA). Updated operational and deployment guidance is defined in RFC 7671, RFC 7672 defines application specific usage of DANE and RFC 7673 for using DANE with Service (SRV) records. DANE can also be used by domain owners to issue their own certificates, without an existing certificate authority.

 

What is DANE Protocol Related DNS Record?

 

DANE uses a new record types called TLSA. From the text under sub header “What is DANE Protocol : Basics and RFC”, we can get four possibilities, they are types of policies :

  • Usage Number 0 – CA specification – Specifies the Certificate Authority (CA) who will provide TLS certificates for the domain. We can only say that the domain will use TLS certificates from a specific CA.  Like we are using Geotrust as CA. It only will allow Geotrust. It is difficult to get a SSL/TLS certificate from Geotrust without being WE.
  • Usage Number 1 – Specific TLS certificate – Specifies the exact TLS certificate that should be used for the domain. Like we are using Geotrust’s specific certificate for this domain. CA can not be from Let’s Encrypt at this moment (Let’s Encrypt recommends using 2 or 3). This should be commonest case.
  • Usage Number 2 – Trust anchor assertion – Specifies the trust anchor to be used for validating the TLS certificates for the domain. It is basically for CA’s own websites.
  • Usage Number 3 – Domain-issued certificate – Specifies the exact TLS certificate that should be used for the domain, but certificate can be self-signed certificate. It is basically just a security.

We can write the above as :

  1. Certificate Authority Constraint (0 – PKIX-TA)
  2. Service Certificate Constraint (1 – PKIX-EE)
  3. Trust Anchor Assertion (2 – DANE-TA)
  4. Domain Issued Certificate (3 – DANE-EE)

As Case 2 is obvious usage, that Service Certificate Constraint (1 – PKIX-EE) is commonly used. That is Usage 1 of RFC. This is called TLSA Certificate usage value.

As we can either use the full certificate or pin, we will have two selector fields :

  1. Using full certificate (0 – Cert)
  2. Using subject public key (1 – SPKI)

As we commonly use full certificate to generate it, it is almost always 0. This is known as TLSA selector value.

From the type of encryption, we can have :

  1. No Hash (0 – Full)
  2. SHA-256 hash (1 – SHA-256)
  3. SHA-512 hash (2 – SHA-512)

As SHA 256 is a sane hash, 1 will be common value. This is known as TLSA Matching Type.

Above three information can be written as [number] [number] [number] like 101, 301 etc. As we are generating a hash, it is a data. Second second of information is :

  1. port
  2. protocol
  3. domain name
what-is-dane-protocol

We can write in this way :

Vim
1
[port] [protocol][domain name][number] [number] [number] [hash value of pin]

If you run this command for a domain named example.com

Vim
1
dig +dnssec +noall +answer +multi _443._tcp.example.com. TLSA

you will get one output like ours a TLSA record :

Vim
1
_443._tcp.thecustomizewindows.com. 30 IN TLSA 1 0 1 (67F709959C5CD3D97E1F57B355701E95A9D881119A8FE4E6770903086DFFB356 )

That value 30 is time to live. Obviously, DNS provider needs to support it. Dyn does support it. How that bizarre data  :

Vim
1
67F709959C5CD3D97E1F57B355701E95A9D881119A8FE4E6770903086DFFB356

came?

It is generated by running a command against the certificate. Obviously it is added via DNS.

Tagged With DANE protocol , DANE srv portprotocol

This Article Has Been Shared 675 Times!

Facebook Twitter Pinterest

Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to What is DANE Protocol?

  • Rackspace Cloud Sites Versus Rackspace Managed Cloud Servers

    Rackspace Cloud Sites Versus Rackspace Managed Cloud Servers – even Rackspace themselves will fail to give the aspects we can provide you ! Have a quick check.

  • Cloud Storage : Understanding How it Works With Example

    Cloud Storage is important today as the individuals and companies requirements are growing exponentially and backup becoming and increasingly critical strategy.

  • Web Based Online Terminal Emulators

    Depending on your need, there are many free terminal emulators which allow partial to full functions like terminal apps on Linux or OS X.

  • HTTP 2.0 : What Changes Are Expected With the New Standard

    What Changes Can Be Expected With the New Standard HTTP 2.0? This HTTP 2.0 is the next major release of HTTP Protocol used by WWW.

  • echo Command : Practical Examples For SSH

    Not much is usually known by a unix/GNU Linux newbie about the potential power of echo command. Here are practical examples for using on SSH.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

Get new posts by email:

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (24.3K Followers)
  • Twitter (5.8k Followers)
  • Facebook (5.7k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.3k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • Advantages of Cloud Server Over Dedicated Server for Hosting WordPress March 26, 2023
  • Get Audiophile-Grade Music on Your Smartphone March 25, 2023
  • Simple Windows Security and Privacy Checklist for 2023 March 24, 2023
  • 7 Best Artificial Intelligence (AI) Software March 24, 2023
  • ESP32 Arduino Water Tank Level Monitoring Using Laser ToF Sensor March 23, 2023

About This Article

Cite this article as: Abhishek Ghosh, "What is DANE Protocol?," in The Customize Windows, September 11, 2016, March 27, 2023, https://thecustomizewindows.com/2016/09/what-is-dane-protocol/.

Source:The Customize Windows, JiMA.in

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2023 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy

We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
Do not sell my personal information.
Cookie SettingsAccept
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT