The Bundesamt für Sicherheit in der Informationstechnik (BSI, the Federal Office for Information Security) of Germany has issued a technical directive and guidelines for secure email transport which includes the use of DANE and DNSSEC. DANE is the DNS-based Authentication of Named Entities.
The DANE protocol is proposed in RFC6698 and is a method that allows TLS X.509 certificates to be bound to DNS names using the related DNSSEC. It enables TLS clients and servers to authenticate without a Certificate Authority (CA). The reason for this is that there have been cases of CAs suffering security breaches and rogue certificates have been issued. Using DANE system administrators can certify the keys used in their domains TLS clients and servers by storing them in DNS using a new TLSA record type. DANE requires the DNS records to be signed with DNSSEC for it to work.
Secondly, DANE allows a domain owner to specify which CA is allowed to issue its certificates which resolves the issue of any CA being able to issue certificates for any domain.
DANE is not yet globally accepted or fully approved by the IETF. In particular, Google (and its Chrome browser) do not support it as DNSSEC widely uses 1024-bit RSA security which Google has deprecated and wishes to eliminate.
The advantage for email transfer is that DANE can authenticate the certificate of the SMTP server that the user’s email client communicates with as well as, importantly, authenticating TLS (Transport Layer Security) connections between SMTP servers.
Without DANE there are issues with TLS in that it is susceptible to malicious attack where the TLS handshake can be removed and forces the connection down to non-encrypted SMTP. Also TLS connections are often unauthenticated because the use of self signed certificates as well as mismatched certificates is common.
Many of the early adopters of DANE are based in Germany and the German government is now taking the lead, and looking in the first instance to the major ISPs to implement it too. The issue is that developers have to add the functionality to their SMTP servers (This looks like a GroupWise enhancement idea!). Open source MTAs such as Postfix and Exim already support the protocol.
This article was first published in OHM, Issue 33, 2016/2, p30