Rob's web

DANE

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA). It is updated with operational and deployment guidance in RFC 7671. Application specific usage of DANE is defined in RFC 7672 for SMTP and RFC 7673 for using DANE with Service (SRV) records.

DNSSEC

DNSSEC must be available for your domain. You can check it at dnssec-analyzer.

This must be set by your hosting provider.

Creating TLSA settings

The easy way is to use an TLSA-generator.

Choose:

UsageDANE-EE: Domain Issued Certificate
SelectorUse full certificate
Matching TypeSHA-256 Hash
CertificateCopy the content of /etc/pki/tls/certs/example.com.crt in the field.
PortSMTP: 25
HTTPS: 443
Protocoltcp
DomainEnter your domain.

Click on generate.

When every thing is ok there will be a DNS entry. Use this to put in your public and private DNS servers. First add it to the local DNS and when it works add it to the public DNS.

To test your local DNS enter:

# host -t TLSA _25._tcp.mail.example.com

When NXDOMAIN check the zone file for MX mail.example.com.

When you have placed the records in your public DNS server go to DANE/TLSA validator for inbound SMTP services. Enter your <example.com>.

Adding the https TLSA

If you use a wildcard certificate you can copy the mail settings to _443._tcp.www and every other subdomain.

Renewing SSL certificate

When you renew the tls-certificates you have to make a new TLSA DNS setting. Then you have to replace the hexadecimal code with the new one.