Planisys Cybersecurity

Q: What is DANE?

DANE (DNS-Based Authentication of Named Entities) uses DNSSEC protected TLSA records to authenticate TLS certificates without relying exclusively on traditional certificate authorities.

Q: What is a TLSA record?

A TLSA record is a DNS record that binds a TLS certificate or public key to a domain name using DNSSEC validation.

Q: Does DANE replace certificate authorities?

DANE reduces reliance on certificate authorities by allowing domains to publish certificate fingerprints securely via DNSSEC.

Who uses DANE?

European government networks
German federal infrastructure
Large ISPs
Financial institutions
Security-focused email providers

What is DANE? #

DANE (DNS-Based Authentication of Named Entities) is a DNSSEC-based security technology that allows domains to publish TLS certificate fingerprints in DNS using TLSA records. This allows mail servers and other services to verify TLS certificates using cryptographic DNSSEC validation instead of relying only on traditional Certificate Authorities.

DANE is widely used to secure SMTP email delivery and protect against:

TLS downgrade attacks
Man-in-the-middle interception
Fraudulent certificates
Certificate authority compromise

Operational considerations

TLSA records must match certificate rotations
Automate TLSA updates when renewing certificates
Monitor DNSSEC validity
Use DNSSEC validating resolvers internally

How DANE works #

When a mail server delivers email, the following validation process occurs:


Sending Mail Server
        ↓
DNS MX lookup
        ↓
TLSA record lookup
        ↓
DNSSEC validation
        ↓
TLS connection starts
        ↓
Certificate compared to TLSA
        ↓
Mail delivered securely

DANE TLSA DNSSEC email security workflow diagram

What is a TLSA record? #

TLSA records bind a TLS certificate or public key to a domain name. Example:



_25._tcp.mail.example.com. 3600 IN TLSA 3 1 1 
2A3F1D6E8E2F4C7E9A...

TLSA record structure

Field	Example	Meaning
Usage	3	DANE-EE certificate match
Selector	1	Subject public key
Matching	1	SHA256 hash
Data	Hash	Certificate fingerprint

Where the TLSA hash comes from #

The TLSA hash is derived from the TLS certificate or its public key. For SMTP deployments the most common configuration is:


3 1 1

Meaning:

DANE issued certificate
Public key match
SHA256 fingerprint

Generating TLSA hash manually

Step 1 — Retrieve certificate:



openssl s_client -connect mail.example.com:25 -starttls smtp \
| openssl x509 -outform PEM > cert.pem

Step 2 — Extract public key hash:



openssl x509 -in cert.pem -noout -pubkey \
| openssl pkey -pubin -outform DER \
| openssl sha256

Result:


(stdin)= 2a3f1d6e8e2f....

This becomes:


_25._tcp.mail.example.com IN TLSA 3 1 1 2A3F1D6E8E2F...

Generating TLSA records automatically #

Most operators generate TLSA records automatically using tools such as:



tlsa --create --port 25 --protocol tcp mail.example.com

or:



hash-slinger mail.example.com

Using DANE with Postfix #

Postfix supports DANE (DNS-Based Authentication of Named Entities) to authenticate SMTP servers using DNSSEC validated TLSA records. This allows secure SMTP delivery without relying exclusively on Certificate Authorities.

Example Postfix configuration



# /etc/postfix/main.cf

smtp_tls_security_level = dane
smtp_dns_support_level = dnssec

smtp_tls_loglevel = 1

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3

smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

What this configuration does

smtp_tls_security_level = dane enables DANE verification when TLSA records exist
smtp_dns_support_level = dnssec requires DNSSEC validation
smtp_tls_CAfile provides CA trust when TLSA not present
smtp_tls_protocols disables legacy SSL
smtp_tls_ciphers enforces strong encryption
smtp_tls_loglevel allows debugging of DANE validation

How Postfix uses DANE

When sending email, Postfix performs:


MX lookup
    ↓
TLSA lookup
    ↓
DNSSEC validation
    ↓
STARTTLS
    ↓
Certificate match check
    ↓
Secure delivery

Example TLSA record



_25._tcp.mail.example.com. 3600 IN TLSA 3 1 1 
2A3F1D6E8E2F4C7E9A...

Checking TLSA records manually



dig +dnssec _25._tcp.mail.example.com TLSA

Testing DANE delivery logs



postfix reload

tail -f /var/log/mail.log

Example successful DANE validation:


Trusted TLS connection established to mail.example.com

Requirements for DANE #

DNSSEC signed domain
DNSSEC validating resolver
TLS enabled mail server
Published TLSA record

Why DANE matters for cybersecurity #

DANE significantly improves email transport security by removing blind trust in certificate authorities and replacing it with cryptographic DNS validation.

This is especially valuable for:

Government networks
Financial institutions
ISPs
Critical infrastructure
Protective DNS environments

DANE vs MTA-STS #

Feature	DANE	MTA-STS
Trust model	DNSSEC	Certificate Authority
Downgrade protection	Strong	Moderate
Deployment complexity	Higher	Lower
Security strength	Very high	Good

Frequently Asked Questions

What is DANE?

DANE uses DNSSEC protected TLSA records to authenticate TLS certificates.

What is a TLSA record?

A TLSA record binds a TLS certificate or public key to a domain name.

Does DANE replace certificate authorities?

DANE reduces reliance on certificate authorities by publishing fingerprints via DNSSEC.

DANE Explained