This week we’re highlighting some of the topics that were covered during ION Cape Town a couple of months back. This was our third ION conference of 2015, and was held in conjunction with South Africa iWeek 2015 which has been South Africa’s leading annual Internet industry conference since 2001.
Today we’re looking at DANE (DNS-based Authentication of Named Entities) which allows X.509 certificates which are commonly used for TLS, to be bound to DNS names using DNSSEC. The rationale for this is covered quite nicely in the presentation by Michuki Mwanga, ISOC’s Regional Development Manager for Africa, which is that TLS typically relies on X.509 certificates for its encryption keys. These are either issued by one of the many CAs trusted by the major operating system and browser vendors, by a CA where trust has been established through other means, or are self-signed. The fundamental problems are that CAs can in principle issue a certificate for any domain, there are differing standards of domain verification amongst CAs, and there are many CAs issuing certificates which increases the chances of a incorrect or fraudulent certificate being issued.
DANE builds on the DNS concept of domain name holders controlling their name resources, and on DNSSEC that enables them to assert these resources through the use of digital signatures.
Jan Zorz, the Internet Society’s Operational Engagement Manager, has also undertaken some testing of DANE with SMTP in the Go6lab. This sent an e-mail to the top one million Alexa domains, which showed 99% of those had mail servers and nearly 70% of all the attempted SMTP sessions were encrypted with TLS. Of those, 41% used certificate from a trusted CA, 17% used an untrusted certificate, 11% was opportunistic and unsigned, whilst just 0.13% were verified with TLSA by DANE. However, the testing did serve to demonstrate that 70% of e-mail can be encrypted in some manner, even though there needs to be greater deployment of DNSSEC before the benefits of DANE can be realised.