christoph ender's

blog

sunday the 21st of april, 2024

dane and tlsa basics

DANE – DNS-based Authentication of Named Entities – stores hash digests of certificates in TLSA DNS resource records. In combination with DNSSEC it is possible to verify certificates without any CA using DNS alone, thereby eliminating man-in-the-middle and downgrade attacks.

the tlsa record

The TLSA record has it's own DNS record type TLSA and might, for example, look like this: 

_25._tcp.myhost.example.org. TLSA 3 0 1 685643e3ded18a4d

In this example, the first two name elements _25._tcp denote that the record describes connections to TCP port 25 of the following name, myhost.example.org. The value is assembled from the following four elements: Three integer values denoting certificate usage, selector and matching type followed by certificate data.

usage

The “usage” value describes what kind of certificate the TLSA data should match with:

  1. “PKIX-TA”: A CA certificate matching the TLSA record must be included as part of a certification path.
  2. “PKIX-EE”: The “end entity” certificate must match the TLSA record, and it also has to be have been validated by a trusted CA.
  3. “DANE-TA”: The TLSA record describes a trust anchor in the certificate's certification path.
  4. “DANE-EE”: The TLSA record describes the “end-entity” certificate.

For usage with SMTP, the usage must be either DANE-TA/2 or DANE-EE/3.

selector

  1. “Full certificate”: The data field will be a match digest of the entire certificate.
  2. “Subject public key”: Only the public key of the certificate is matched.

This is relevant when a certificate is renewed: In case the entire certificate is used for the hash digest, the TLSA has to be updated every time the certificate is renewed, even if the key isn't changing. If only the public key is hashed, the record doesn't require updating when a certificate is renewed, as long as the key doesn't change.

matching type

  1. Exact match: The entire certificate has to be stored. Not recommended, since the size of an x.509 certificate might easily exceed the valid DNS record size.
  2. SHA2-256 hash digest: Most commonly used.
  3. SHA2-512 hash digest.

certificate data

Following up on the three data descriptors is the associated certificate data itself. Here's an example how to create a hash digest for an entire certificate using sha2-256: 

openssl x509 \
 -in cert.pem -outform DER \
 | openssl sha256