DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).
It is proposed in RFC 6698 as a way to authenticate TLS client and server entities without a certificate authority (CA). It is updated with operational and deployment guidance in RFC 7671. Application specific usage of DANE is defined in RFC 7672 for SMTP and RFC 7673 for using DANE with Service (SRV) records.
DNSSEC must be available for your domain. You can check it at dnssec-analyzer.
This must be set by your hosting provider.
The easy way is to use an TLSA-generator.
Choose:
| Usage | DANE-EE: Domain Issued Certificate |
|---|---|
| Selector | Use full certificate |
| Matching Type | SHA-256 Hash |
| Certificate | Copy the content of /etc/pki/tls/certs/example.com.crt in the field. |
| Port | SMTP: 25 HTTPS: 443 |
| Protocol | tcp |
| Domain | Enter your domain. |
Click on generate.
When every thing is ok there will be a DNS entry. Use this to put in your public and private DNS servers. First add it to the local DNS and when it works add it to the public DNS.
To test your local DNS enter:
# host -t TLSA _25._tcp.mail.example.com
When NXDOMAIN check the zone file for MX mail.example.com.
When you have placed the records in your public DNS server go to DANE/TLSA validator for inbound SMTP services. Enter your <example.com>.
If you use a wildcard certificate you can copy the mail settings to _443._tcp.www and every other subdomain.
When you renew the tls-certificates you have to make a new TLSA DNS setting. Then you have to replace the hexadecimal code with the new one.