Deploy360 2 December 2013

Afnic Publishes Issue Paper: “Securing Internet Communications End-to-end Using DANE Protocol”

By Dan YorkDirector, Internet Technology

Afnic paper on DANELast week, the great folks over at Afnic released an outstanding issue paper about how the DANE protocol and DNSSEC can bring a higher level of trust and security to Internet-based communications.  The issue paper, “Securing End-to-end Internet communications using DANE protocol“, is available in PDF (direct link) and walks through how DANE can be used to increase the security used in TLS/SSL certificates (PKIX).  The document describes the problems associated with the current world of certificates and then explains how DANE can make the situation more secure.

Readers of this Deploy360 site will know that we’ve produced similar types of documents ourselves, but not in an “issue paper” form that can be distributed.  The Afnic folks have done a great job with this and I like the graphics they are using.

As they note on the final page, DANE is for much more than web browsing – and in fact the major implementations we’re seeing right now are in other services like email and XMPP (Jabber). The browser vendors have so far not seen enough requests (we are told) to look at including DANE in their browsers.

Hopefully this document from Afnic will help people further understand the very real value DANE can bring in ensuring that you are using the correct TLS/SSL certificate when you are connecting to a web site.

Kudos to the Afnic team for creating this document – and I encourage everyone to share this document widely! (Thanks!)

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...