Using DNSSEC to improve S/MIME security Thumbnail
Domain Name System Security Extensions (DNSSEC) 1 September 2017

Using DNSSEC to improve S/MIME security

By Kevin MeynellFormer Senior Manager, Technical and Operational Engagement

RFC 8162 “Using Secure DNS to Associate Certificates with Domain Names for S/MIME” was published a couple of months ago. This seems to have gone a bit unnoticed, but defines an experimental protocol for verifying digital certificates associated with S/MIME messages in a similar manner to what DANE does for TLS.

S/MIME encoded messages often contain a digital certificate that authenticates the sender of the message and can be used for encrypting replies. However, in order for the receiver of the message to verify that the certificate belongs to the sender, their mail user agent also needs to be able to validate the trust anchor from where the certificate is derived. Trust anchors are often distributed with operating systems or are installed by users, but this relies on the integrity of these processes and the third-parties issuing the trust anchor.

RFC 8162 therefore defines a new DNS Resource Record (RR) type called SMIMEA that can be used by a domain owner to associate a certificate or public key with an e-mail address, thereby forming an SMIMEA certificate association. This association may be an end entity, intermediate or trust anchor certificate, and allows an application or service to lookup and verify a certificate or public key in the DNS.

Of course, a DNS zone containing SMIMEA records also needs to be DNSSEC-signed, and the DNS response should be correctly validated. All the more reason to be deploying DNSSEC, so please check out our Start Here page to find out how to get started!

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Open Standards Everywhere 11 June 2020

Listen to the Hedge Podcast 39 to Learn about the Open Standards Everywhere Project

What is our Open Standards Everywhere (OSE) project all about? How did it get started? What are the project...

Deploy360 19 February 2019

DNS Privacy & IPv6 Security @ APTLD 75

The Internet Society will be actively contributing to the APTLD 75 meeting on 20-21 February 2019 in Dubai, United...

Domain Name System (DNS) 8 February 2019

DNS Flag Day

The 1st of February was DNS Flag Day, which is an initiative of several DNS vendors and operators to...