DANE
DNS-Based Authentication of Named Entities - Certificate validation
What is DANE?
DANE allows you to bind TLS certificates to DNS records using TLSA records, providing an alternative to the traditional Certificate Authority (CA) system for certificate validation.
Why is it important?
DANE protects against compromised Certificate Authorities and man-in-the-middle attacks by allowing domain owners to specify which certificates are valid for their services.
Impact
Without DANE, your domain relies entirely on the CA system. DANE provides an additional security layer, especially important for mail servers and sensitive services.
Current Configuration
- Domainexample.com
- DANE StatusNot Configured
- TLSA RecordsNone Found
- DNSSEC RequiredNot Enabled
- Last CheckedDecember 3, 2025 - 11:30 AM
Prerequisites for DANE
Before configuring DANE, you must have:
- DNSSEC EnabledRequired (Not Yet Enabled)
- Valid SSL/TLS CertificateAvailable
- DNS Provider SupportMust support TLSA records
DANE will not work without DNSSEC. Enable DNSSEC first before proceeding.
TLSA Record Parameters
Certificate Usage (0-3)
0: CA constraint
1: Service certificate constraint
2: Trust anchor assertion (DANE-TA)
3: Domain-issued certificate (DANE-EE) - Most common
1: Service certificate constraint
2: Trust anchor assertion (DANE-TA)
3: Domain-issued certificate (DANE-EE) - Most common
Selector (0-1)
0: Full certificate
1: SubjectPublicKeyInfo (SPKI) - Recommended for easier cert renewal
1: SubjectPublicKeyInfo (SPKI) - Recommended for easier cert renewal
Matching Type (0-2)
0: Exact match (full cert/key)
1: SHA-256 hash - Most common
2: SHA-512 hash
1: SHA-256 hash - Most common
2: SHA-512 hash
Recommended TLSA Record Configurations
Most common and secure DANE configurations:
3 1 1 - Domain-issued + SPKI + SHA-256 (Recommended):
Best for most use cases. Easy cert renewal without DNS changes.
_25._tcp.mail.example.com. IN TLSA 3 1 1 [SHA-256 hash of SPKI]
3 0 1 - Domain-issued + Full Cert + SHA-256:
Pins specific certificate. Requires DNS update when cert is renewed.
_443._tcp.example.com. IN TLSA 3 0 1 [SHA-256 hash of certificate]
2 1 1 - Trust Anchor + SPKI + SHA-256:
Pins CA's public key. More flexible than pinning individual certs.
_443._tcp.www.example.com. IN TLSA 2 1 1 [SHA-256 hash of CA SPKI]
How to Configure DANE
- CRITICAL: Enable DNSSEC for your domain first. DANE will not work without DNSSEC.
- Obtain your certificate's public key or full certificate fingerprint:# Get SHA-256 hash of certificate's SPKI (recommended)
openssl x509 -in certificate.crt -pubkey -noout | openssl pkey -pubin -outform DER | openssl dgst -sha256 -binary | xxd -p -u -c 32 - Create TLSA record name using the format: _port._protocol.hostname
- For HTTPS (port 443): _443._tcp.example.com
- For SMTP (port 25): _25._tcp.mail.example.com
- For Submission (port 587): _587._tcp.mail.example.com
- Add TLSA record to your DNS zone:_443._tcp.example.com. IN TLSA 3 1 1 ABC123...DEF456
- For mail servers, create TLSA records for all mail ports (25, 587, 465 if used).
- Wait for DNS propagation (typically 1-24 hours).
- Verify TLSA records using command line:# Linux/Mac
dig _443._tcp.example.com TLSA
# Or use online DANE validators - Test DANE validation using online tools like dane.sys4.de or ssl-tools.net
Service-Specific TLSA Records
HTTPS Website (Port 443):
_443._tcp.www.example.com. IN TLSA 3 1 1 [hash]
SMTP Mail Server (Port 25):
_25._tcp.mail.example.com. IN TLSA 3 1 1 [hash]
Mail Submission (Port 587):
_587._tcp.mail.example.com. IN TLSA 3 1 1 [hash]
IMAPS (Port 993):
_993._tcp.mail.example.com. IN TLSA 3 1 1 [hash]
DANE Best Practices
- Use 3 1 1Easiest cert renewal - pins public key, not cert
- Multiple TLSA RecordsPublish both current and future cert during renewal
- DNSSEC MonitoringDANE breaks if DNSSEC fails - monitor closely
- All ServicesConfigure DANE for all TLS-enabled services
- TestingTest with DANE validators before going live
- DocumentationDocument which certs are pinned where
Common DANE Issues
- DNSSEC Not EnabledDANE requires DNSSEC - won't work without it
- Wrong HashHash doesn't match certificate or public key
- Outdated TLSA RecordsCertificate renewed but TLSA not updated
- Wrong Port/ProtocolTLSA record has incorrect _port._tcp prefix
- Broken DNSSEC ChainDNSSEC validation fails, making DANE useless