‹ Back
Deploy360 10 November 2015

ION Cape Town: Great DANE

Kevin Meynell
By Kevin MeynellSenior Manager, Technical and Operational Engagement

ion-capetown-ai-pngThis week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.

Today we’re looking at DANE (DNS-based Authentication of Named Entities) which allows X.509 certificates which are commonly used for TLS, to be bound to DNS names using DNSSEC. The rationale for this is covered quite nicely in the presentation by Michuki Mwanga, ISOC’s Regional Development Manager for Africa, which is that TLS typically relies on X.509 certificates for its encryption keys. These are either issued by one of the many CAs trusted by the major operating system and browser vendors, by a CA where trust has been established through other means, or are self-signed. The fundamental problems are that CAs can in principle issue a certificate for any domain, there are differing standards of domain verification amongst CAs, and there are many CAs issuing certificates which increases the chances of a incorrect or fraudulent certificate being issued.

DANE builds on the DNS concept of domain name holders controlling their name resources, and on DNSSEC that enables them to assert these resources through the use of digital signatures.

Jan Zorz, the Internet Society’s Operational Engagement Manager, has also undertaken some testing of DANE with SMTP in the Go6lab. This sent an e-mail to the top one million Alexa domains, which showed 99% of those had mail servers and nearly 70% of all the attempted SMTP sessions were encrypted with TLS. Of those, 41% used certificate from a trusted CA, 17% used an untrusted certificate, 11% was opportunistic and unsigned, whilst just 0.13% were verified with TLSA by DANE. However, the testing did serve to demonstrate that 70% of e-mail can be encrypted in some manner, even though there needs to be greater deployment of DNSSEC before the benefits of DANE can be realised.

Please do check out the other presentations and videos from the conference, as there’s some interesting deployment case studies and trials of the Deploy360 technologies.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Improving Technical Security 15 March 2019

DNS Privacy Frequently Asked Questions (FAQ)

We previously posted about how the DNS does not inherently employ any mechanisms to provide confidentiality for DNS transactions,...

Improving Technical Security 14 March 2019

Introduction to DNS Privacy

Almost every time we use an Internet application, it starts with a DNS (Domain Name System) transaction to map...

Improving Technical Security 13 March 2019

IPv6 Security for IPv4 Engineers

It is often argued that IPv4 practices should be forgotten when deploying IPv6, as after all IPv6 is a...

Join the conversation with Internet Society members around the world