From The Hive
Revision as of 20:32, 11 February 2020 by Justina (talk | contribs) (→‎DNS-based Authentication of Named Entities: main heading)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

X.509 for SSL and TLS

The "certificates" that identify a website for "https" secure browsing.

Other tools exist to strengthen security and domain ownership beyond "commercial certs" offered by common vendors.

Domain Name System Security Extensions


DNS-based Authentication of Named Entities

A system called DANE was proposed in RFC 6698 "as a way to authenticate TLS client and server entities without a certificate authority (CA)," but it has never been very widely deployed.

The use of a CA or "commercial" certificate does not exclude the use of DANE, of course. If you enable DNSSEC on your domain, there is no reason why you cannot authorize your current "commercial" X.509 certificate via DANE, as well, independently of any commercial certification.

Certification Authority Authorization

Somewhat as an alternative or adjunct to DANE, a much simpler system known as CAA was developed, with the advantage that CAA does not require DNSSEC as an absolute dependency for deployment.