Clever Geek Handbook
📜 ⬆️ ⬇️

Dane

DANE ( English DNS-based Authentication of Named Entities ) is a set of IETF specifications that provide authentication of addressing objects ( domain names ) and provided services using DNS . This is a new standard being introduced in 2011-2012.

Content

Description

Many modern applications use certificate- based authentication in secure transport connections, allowing users to verify that they are connecting to the server they wanted, and which is called that way, and not otherwise. Typically, this kind of authentication takes place through a public key infrastructure using a certificate chain that ends with a certificate of a certification authority known to the client. DANE provides for the transfer of a trusted certificate not previously known to the client by means of DNS with mandatory authentication of the DNS response by means of DNSSEC .

Working Principle

Before establishing a secure connection ( HTTPS , TLS for any supporting protocol), the client makes a number of additional DNS queries. In response to these requests, the client sends the certificate parameters or the certificate itself. In this case, the client establishes communication with the server whose address is validated by the client’s DNS server using DNSSEC. After opening the connection, the client verifies the server’s response using the existing certificate or its fingerprint.

Resource Records

IANA standardized one new TLSA entry (code 52). Record Format:

  1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +
   |  Cert.  Usage |  Selector |  Matching Type |  /
   + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + /
   / /
   / Certificate Association Data /
   / /
   + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - +

Field Description

  • Certificate Usage - type of certificate to be transmitted
  • Selector - dimension of transmitted data
  • Matching Type - type of transmitted data
  • Certificate Association Data

Example DNS query

When establishing a secure connection with the example.org server over TCP port 443, the client performs an additional request of the form

  IN TLSA _443._tcp.example.org

DNS Answer

Full PKI certificate:

  _443._tcp.example.com.  IN TLSA (
      3 0 0 30820307308201efa003020102020 ...)

See also

  • Dane

Links

  • RFC 6394 , Use Cases and Requirements for DNS-Based Authentication of Named Entities (DANE)
  • RFC 6698 , The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA
  • DANE — The New DNS Role in Security — An Open Systems Journal Article, No. 03, 2013
Source - https://ru.wikipedia.org/w/index.php?title=DANE&oldid=93738103


More articles:

  • T-duality
  • Klak Alexander
  • Howard Luke
  • Stadion
  • Aleksio, Haris
  • Kasputis, Arturas Antanovich
  • Lee, Ruta
  • Crash of Essex
  • Thomas Imogen
  • Dolgoderevenskoe rural settlement

All articles

Clever Geek | 2019