top of page
DANE (DNS-based Authentication of Named Entities)
DANE or DNS-based Authentication of Named Entities is an Internet security protocol which is commonly used for Transport Layer Security (TLS) to be bound to domain names using Domain Name System Security Extensions (DNSSEC).
What is DANE used for?
In simple terms, DANE binds the SSL key information to a domain name and then protects that binding with DNSSEC. Because of this, it makes man in the middle attacks almost impossible, and it promises to help maintain data privacy and security on a global scale, especially with regard to email.
DANE does not only challenge the certificate authority system but has the potential to revolutionize email security by making encrypted email delivery the norm in a world where email is largely transmitted unencrypted. It therefore plays an important role in email security and email deliverability. In fact, there are arguments that DANE should replace CA altogether and that it is a more effective way to improve email security compared to CA.
It in effect eliminates several weaknesses of SSL and, in the process, increases the security of SSL protected emails. It does this by storing the digital fingerprints of an SSL certificates in the DNS. Mail servers and browsers can then automatically verify the authenticity of the certificate before establishing a secure connection or sending an email via SSL transport encryption. In this way, it eliminates the situation where criminals pretend to be a particular web or mail server to gain access to login data or other personal information with the use of fake certificates.
In addition, DANE entries in the DNS are secured with the help of DNSSEC. This prevents others from changing entries in the DNS system and substituting any of the digital fingerprints of SSL certificates.
Why is DANE Important?
A common problem with encrypted emails is when either the sender or the recipient is not using an encrypted email service. This does then not offer the full protection that encryption provides because either one of the parties is not using an encrypted mail service.
DANE aims to solve this problem and is an important step in the right direction when it comes to email security. It allows users to communicate with anyone while messages are being encrypted end-to-end, so it, in effect, solves the above problem if only the sender or the recipient uses an encrypted email service.
Although many Internet service providers do not currently use DANE, it is available in all the common browsers through add-ons.
bottom of page