Back Issues This Week → Current Issue → Popular →

DANE (DNS-Based Authentication of Named Entities) is a security protocol that verifies TLS certificates directly through DNS using DNSSEC-secured TLSA records, eliminating dependence on third-party Certificate Authorities.

It addresses two major security issues: STARTTLS downgrade attacks where connections silently fall back to plaintext, and the risk of compromised or misissued certificates by allowing domain owners to define exactly which certificates are valid.

The protocol works by domain owners publishing TLSA records in their DNS zone, which are then cryptographically signed with DNSSEC to create a chain of trust that clients validate before accepting TLS connections.

While DANE adoption remains limited compared to alternatives like MTA-STS, it is increasingly used by government agencies, email providers, and organizations where email confidentiality is critical, with recent support announced by Microsoft in 2024.