We are talking about what DANE technology is for DNS domain name authentication and why it is not widely used in browsers.
/Unsplash/
What is DANE
Certification Authorities (CAs) are organizations that cryptographic certificate . They put their electronic signature on them, confirming the authenticity. However, sometimes situations arise when certificates are issued with violations. For example, last year Google initiated a βtrust termination procedureβ for Symantec certificates due to their compromise (we covered this story in detail in our blog - ΠΈ ).
To avoid such situations, a few years ago at the IETF DANE technology (but it is not widely used in browsers - why it happened, we'll talk further).
DANE (DNS-based Authentication of Named Entities) is a set of specifications that allows DNSSEC (Name System Security Extensions) to be used to validate SSL certificates. DNSSEC is an extension to the Domain Name System that minimizes address spoofing attacks. Using these two technologies, a webmaster or client can contact one of the DNS zone operators and confirm the validity of the certificate used.
In fact, DANE acts as a self-signed certificate (the guarantor of its reliability is DNSSEC) and complements the functions of CA.
How it works
The DANE specification is described in . According to the document, A new type has been added - TLSA. It contains information about the transmitted certificate, the dimension and type of the transmitted data, as well as the data itself. The webmaster creates a thumbprint of the certificate, signs it using DNSSEC, and places it in TLSA.
The client connects to a site on the Internet and compares its certificate with the "copy" received from the DNS operator. If they match, then the resource is considered trusted.
The DANE wiki page provides the following example of a DNS query to the example.org server on TCP port 443:
IN TLSA _443._tcp.example.orgThe answer looks like this:
_443._tcp.example.com. IN TLSA (
3 0 0 30820307308201efa003020102020... )
DANE has several extensions that work with DNS records other than TLSA. The first is an SSHFP DNS entry for checking keys on SSH connections. It is described in , ΠΈ . The second is the OPENPGPKEY entry for PGP key exchange (). Finally, the third is the SMIMEA record (the standard is not formalized in the RFC, there is ) for cryptographic key exchange over S/MIME.
What is the problem with DANE
In mid-May, the DNS-OARC conference (this is a non-profit organization that deals with security, stability and development of the domain name system) was held. On one of the panels, experts that DANE has failed in browsers (at least in the current implementation). Conference attendee Geoff Huston, Principal Scientist , one of the five regional Internet registrars, about DANE as a "dead technology".
Popular browsers do not support certificate authentication with DANE. On the market , which expose the functionality of TLSA records, but also their support .
Problems with the distribution of DANE in browsers are associated with the duration of the DNSSEC validation process. The system is forced to perform cryptographic calculations to verify the authenticity of the SSL certificate and go through the entire chain of DNS servers (from the root zone to the host domain) when it first connects to the resource.
/Unsplash/
Mozilla tried to eliminate this shortcoming using the mechanism for TLS. He was supposed to reduce the number of DNS records that the client had to look up during authentication. However, disagreements arose within the development team that could not be resolved. As a result, the project was abandoned, although it was approved by the IETF in March 2018.
Another reason for the low popularity of DANE is the low prevalence of DNSSEC in the world - . The experts felt that this was not enough for the active promotion of DANE.
Most likely, the industry will develop in a different direction. Instead of using DNS to verify SSL/TLS certificates, market players, on the contrary, will promote the DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) protocols. The latter we mentioned in one of our on Habr. They encrypt and verify user requests to the DNS server, preventing attackers from spoofing data. At the beginning of the year DoT already to Google for their Public DNS. As for DANE, whether the technology will be able to βreturn to the saddleβ and still become mainstream remains to be seen in the future.
What else do we have for further reading:
Source: habr.com