DANE stands for “DNS-based Authentication of Name Entries” and is a protocol based on DNSSEC.

What do you need DANE for?

TLS uses certificates that are supposed to verify the sender. These certificates are issued by a CA (Certification Authority). Since there are some security vulnerabilities (e.g. theft of a certificate in order to issue certificates in the name of a CA), additional security should be emphasized. DANE solves this problem by allowing an operator to self-sign certificates. Thus, the owner of a domain is no longer dependent on the trustworthiness of a CA.

How does DANE work?

The administrator of a mail server creates a TLSA record in his DNS by entering the checksum from his certificate.

A sending mail server connects to this mail server. Among other things, the certificate is transmitted in this request, from which the sending mail server now forms a checksum and compares it with the TLSA entry of its communication partner. The DNS query is DNSSEC secured. If the checksums match, the connection is considered secure.