DNS-based Authentication of Named Entities
E831086
DNS-based Authentication of Named Entities (DANE) is an Internet security protocol that uses DNSSEC to bind X.509 certificates to domain names, enabling secure TLS connections without relying solely on traditional certificate authorities.
Statements (51)
| Predicate | Object |
|---|---|
| instanceOf | Internet security protocol ⓘ |
| abbreviation | DANE NERFINISHED ⓘ |
| allows |
domain owners to specify acceptable TLS certificates
ⓘ
use of self-signed certificates with DNSSEC-based trust ⓘ |
| appliesTo |
HTTPS
ⓘ
IMAP NERFINISHED ⓘ POP3 NERFINISHED ⓘ SMTP NERFINISHED ⓘ XMPP NERFINISHED ⓘ |
| certificateUsageModes |
CA constraint
ⓘ
domain-issued certificate ⓘ service certificate constraint ⓘ trust anchor assertion ⓘ |
| complements |
certificate authority-based validation
ⓘ
public key infrastructure ⓘ |
| definedIn |
RFC 6698
NERFINISHED
ⓘ
RFC 7671 NERFINISHED ⓘ RFC 7672 NERFINISHED ⓘ RFC 7673 NERFINISHED ⓘ |
| enables |
certificate pinning via DNS
ⓘ
opportunistic TLS for SMTP ⓘ verification of TLS server certificates via DNSSEC ⓘ |
| introduced | 2012 ⓘ |
| operatesAtLayer | application layer ⓘ |
| operatesWith |
TCP-based services
ⓘ
UDP-based services ⓘ |
| primaryGoal |
bind X.509 certificates to domain names
ⓘ
enable authentication of TLS endpoints via DNSSEC ⓘ reduce reliance on traditional certificate authorities ⓘ |
| protects |
HTTPS connections
ⓘ
SMTP over TLS ⓘ TLS connections ⓘ |
| protectsAgainst |
compromise of public certificate authorities
ⓘ
man-in-the-middle attacks on TLS ⓘ |
| recordType | TLSA NERFINISHED ⓘ |
| relatedTo |
CAA DNS records
ⓘ
DNS Certification Authority Authorization NERFINISHED ⓘ |
| reliesOn |
DNSSEC validation by resolvers
ⓘ
DNSSEC-signed zones ⓘ TLSA records at service domain names ⓘ |
| requires | DNSSEC validation on client side or resolver side ⓘ |
| securityModel | DNSSEC-based trust model ⓘ |
| standardizedBy |
Internet Engineering Task Force
ⓘ
surface form:
IETF
Internet Engineering Task Force NERFINISHED ⓘ |
| status | Proposed Standard ⓘ |
| uses |
DNS Security Extensions
NERFINISHED
ⓘ
DNSSEC NERFINISHED ⓘ Domain Name System NERFINISHED ⓘ TLSA resource records NERFINISHED ⓘ Transport Layer Security NERFINISHED ⓘ X.509 certificates NERFINISHED ⓘ |
Referenced by (1)
Full triples — surface form annotated when it differs from this entity's canonical label.