What is DANE and DNSSEC?

DANE is a security protocol that goes beyond the standard HTTPS protocol in securing the trust chain between server, Certificate Authority, and user.

In the current HTTPS protocol it is assumed that certificates issued by a trusted CA are automatically also trusted and secure. The root certificate of the CA is used as a so-called ‘trust anchor’. However, this means that if a trusted CA is hacked, browsers won’t be able to differentiate between real and falsely issued certificates.

DNSSEC

DNSSEC was created to uplift the security of domains. This protocol means that a separate certificate is created for the nameserver of a domain. A summary of this public certificate is then handed over to the registry handling the TLD. Any time a browser sends a request, the registry responds with not only the nameserver data, but also the signature belonging to the certificate. When this signature does not correspond with the information on the nameserver, or is missing from the response, the DNS data is invalid.

DANE

DANE is a protocol that only works when DNSSEC is activated. DANE lets the browser check the TLSA record for a public fingerprint of a certificate that the user has marked as safe. This could be the intermediate certificate of the CA that issued the certificate on the server, but could also be the fingerprint of the certificate itself.

Creating a TLSA record can easily be done online with the help of a generator such as the TLSA Generator on SSL-tools.net.