X.509+DNSSEC+DANE+CAA

From The Hive
Revision as of 20:30, 11 February 2020 by Justina (talk | contribs) (Justina moved page X.509+DNSSEC+CAA to X.509+DNSSEC+DANE+CAA: DANE)

X.509 for SSL and TLS

The "certificates" that identify a website for "https" secure browsing.

Other tools exist to strengthen security and domain ownership beyond "commercial certs" offered by common vendors.

Domain Name System Security Extensions

https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions

DNS-based Authentication of Named Entities

A system called DANE was proposed in RFC 6698 "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it has never been very widely deployed.

The use of a CA or "commercial" certificate does not exclude the use of DANE, of course. If you enable DNSSEC on your domain, there should be no reason that you cannot authorize your current "commercial" X.509 certificate via DANE, as well, independently of any commercial certification.

Certification Authority Authorization

Somewhat as an alternative or adjunct to DANE, a much simpler system known as CAA was developed, with the advantage that CAA does not require DNSSEC as an absolute dependency for deployment.

https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization