DANE - DNS-based Authentication of Named Entities

Now that the information provided by our DNS servers is digitally signed and therefore can be trustetd, we can use our DNS servers to publish additional authenticated and verifieable informamtion.


Note that DNSSEC and therefore also DANE are implemented very very slowly. As of May 2014 not even all TLDs are ready for DNSSEC. Less then 10% of the internet domains have implemented DNSEC and secured their records. The same is the case for clients. No major browser, mail- client or messaging application supports anything DNSSEC related out of the box.


As with all things DNS and TLS and certainly the combination of them, things get overly complicated quickly.

Therefore we install the little helper program called hash-slinger. For its operation, the trusted root key of the top-level DNS root must be available, to correctly check all signatire along the way. The tool unbound-anchor just does that.

They are both in the Ubuntu Software Repository:

$ sudo apt-get install unbound-anchor hash-slinger
$ sudo unbound-anchor
$ sudo wget -O /etc/unbound/dlv.isc.org.key \

Once installed the new commands tlsa, openpgpkey and sshfp are available.


Using TLSA records in DNS we can provide information about a server certificate. A connecting client can query DNS to verify the certificate the server hs presented, without the need of a third-party, like the various commercial certificate authorities.

The TLSA entry in DNS consists of a service name and a unique identifiable information of the server certificate (a hash).

To create such a DNS RR for our webserver example.net:

$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem example.net
_443._tcp.example.net. IN TLSA 3 0 1 f8df4b2e...............................76a2a0e5

A line will displayed which can be used with cut and paste in zone files.

If you use PowerDNS server with the poweradmin web interface, add records as follows:






3 0 1 f8df4b2e………………………….76a2a0e5


The fields Priority and TTL can be left empty.

Repeat the above for every webserver in your DNS who answers on TLS port 443:

$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem www.example.net
$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem cloud.example.net

For creating records of other non-web types of servers, the port number has to be added to TLSA command.

For a XMPP server:

$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem --port 5269 xmpp.example.net
$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem --port 5222 xmpp.example.net

for a mail server:

$ tlsa --create --certificate /etc/ssl/certs/example.net.cert.pem --port 25 mail.example.net