DNS-based Authentication of Named Entities (DANE) is an Internet Security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC). TLS/SSL encryption is currently based on certificates issued by certificate authorities (CAs). Within the last few years, a number of CA providers suffered serious security breaches, allowing the issuance of certificates for well-known domains to those who don’t own those domains. Trusting a large number of CAs might be a problem because any breached CA could issue a certificate for any domain name. DANE enables the administrator of a domain name to certify the keys used in that domain’s TLS clients or servers by storing them in the Domain Name System (DNS). DANE needs the DNS records to be signed with DNSSEC for its security model to work. Additionally, DANE allows a domain owner to specify which CA is allowed to issue certificates for a particular resource, which solves the problem of any CA being able to issue certificates for any domain. (Source: Wikipedia)
External Guides
There are many ways of enabling HTTPS on your site with DANE depending on your technical aptitude.
Beginners can try Handout, a combination webserver and nameserver with a single-command configuration script:
These are more technical and detailed methods for advanced developers:
To create a self-signed SSL cert and compute its TLSA record (for developers already running a nameserver and webserver):
Additional Guides on Creating Handshake Websites
These methods may not enforce https/DANE, and may have other security or centralization issues.
Be First to Comment