View article

The DNS-based Authentication of Named Entities (DANE) standard allows clients and servers to establish a TLS connection without relying on trusted third parties like CAs by publishing TLSA records. DANE uses the Domain Name System Security Extensions (DNSSEC) PKI to achieve integrity and authenticity. However, DANE can only work correctly if each principal in its PKI properly performs its duty: through their DNSSEC-aware DNS servers, DANE servers (eg, SMTP servers) must publish their TLSA records, which are consistent with their certificates. Similarly, DANE clients (eg, SMTP clients) must verify the DANE servers’ TLSA records, which are also used to validate the fetched certificates.