What is DANE and Why Is It Critical for Security?
DANE (DNS-based Authentication of Named Entities) involves a set of protocols that allow domain administrators to bind X.509 certificates to their domain names using DNSSEC. This creates a cryptographically secure link between your domain and your SSL/TLS certificate, preventing attackers from using fraudulent certificates issued by compromised Certificate Authorities (CAs).
For email administrators, checking DANE records is even more vital. It prevents SMTP downgrade attacks and ensures that emails are delivered over encrypted channels, adhering to modern standards mapped out in RFC 6698.
01How DANE Works
DANE relies on a specific DNS record type called TLSA (RRType 52). This record stores the "fingerprint" or the full content of your certificate (or your CA's certificate). When a client (like a browser or mail server) connects to you, it queries this record via DNSSEC to verify the server's identity before exchanging sensitive data.
02The Risk of Ignoring It
Without DANE, your connection relies entirely on the global Public Key Infrastructure (PKI). If any of the hundreds of trusted CAs are compromised, they could issue a fake certificate for your site. DANE removes this vulnerability by telling the client exactly which certificate to trust.
How to Use the Advanced DANE Record Checker
Validating your TLSA records manually can be complex due to the hexadecimal formatting and specific field requirements. Our tool simplifies this process:
- 1Enter Domain NameInput the hostname you want to check (e.g.,
example.comormail.example.com). - 2Select Port & ProtocolDefault for HTTPS is 443/TCP. For SMTP, use 25/TCP. The tool constructs the query as
_port._protocol.domain. - 3Analyze ResultsReview the raw TLSA data, decoded fields, and verification status.
Understanding TLSA Record Fields
A TLSA record is composed of three numeric usage fields followed by the certificate association data. Understanding these is key to troubleshooting DANE compliance.
Usage (0-3)
- 0 (PKIX-TA): CA PIN. Use a specific CA for this domain.
- 1 (PKIX-EE): Service Certificate PIN. Specific end-entity cert.
- 2 (DANE-TA): Trust Anchor. Assert a private CA specific to this domain.
- 3 (DANE-EE): Domain Issued. Self-signed or private cert, no public CA needed.
Selector (0-1)
- 0 (Full Certificate): Matches the entire certificate blob.
- 1 (SPKI): Matches only the Subject Public Key Info (recommended for rotation).
Matching Type (0-2)
- 0 (Full Content): Exact binary match (large DNS record).
- 1 (SHA-256): Hash of the selected data.
- 2 (SHA-512): Stronger hash of the selected data.
Secure Your Infrastructure Today
Don't leave your user's security to chance. Verify your DANE records relative to your SSL/TLS configuration and ensure end-to-end encryption integrity.
Check SSL Handshake