Does DANE allow for trustable self-signed certificates?

domain-name-system certificate-authority dnssec self-signed-certificate dane

DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant?, however still relying on the chain of trust in DNSSEC.

My understanding is that it would as long as a domain owner can prove ownership of a public key to their domain registrar/domain hosting service, in which case the domain registrar/domain hosting service will allow for the domain owner to enable DANE in mode 3 by allowing for the TLSA RR to be modified with for example a hash of the public key that the domain registrar just validated ownership off by the domain owner.

However this assumes that the domain registrar/domain hosting service does authenticity/validity checks on DNS Resource Records(in this case particularly the TLSA RR) in much the same way a CA would validate ownership of a public key, is this the case or can a domain owners specify any data to populate their TLSA records regardless of ownership?


Solution 1:

DANE can be used with self-signed certificates, and DNSSEC provides a PKI based on another hierarchy. Currently SMTP is the most practical use case for DANE TLSA records: As email doesn't care for CA based PKI for backwards compatibility, DANE is the solution to declare TLS encryption mandatory, and also to define which certificates to accept, whether signed by a CA or not.

However, it's better to use a valid, CA signed certificate for many reasons:

  • To be backed up with two independent PKI.
  • For IMAP and submission. Some email clients (namely Android) only has an option to require a valid certificate for the hostname or accept all, but not to add exceptions for self-signed certificates.
  • With Let's Encrypt it's free, so it isn't about the costs anymore.

The second paragraph has a misunderstanding: the registrar doesn't validate any of this. You are free to publish the fingerprints on DNS and the SMTP client (DANE enabled mail server) performs the validation.

Related

Unplugging power bank usb safely [closed]
Dig returns incorrect DNS record, but only on specific network. What's wrong?
How to set NTFS permissions and preserve inherited
Spring: Returning empty HTTP Responses with ResponseEntity<Void> doesn't work
How do I create a master branch in a bare Git repository?
How can I convert an integer into its verbal representation?
pip requirements.txt with alternative index
How to get current controller and action from inside Child action?
Wrap link <a> around <div>
Custom Bad Gateway Page with Nginx
Does the size used with NVARCHAR matter?
Accessing the query string in ASP.Net Web Api?