Back to Learning Center
DNS & DNSSEC

What is DANE? DNS-Based Authentication of Named Entities

9 min read
Updated June 2026

DANE (DNS-Based Authentication of Named Entities) is a security protocol that uses the DNS system to associate SSL/TLS certificates with a specific domain name. It aims to solve some of the fundamental trust issues with the traditional Certificate Authority (CA) model by leveraging the security and integrity provided by DNSSEC. In essence, DANE allows you to publish your certificate information directly in your DNS records, giving clients another way to verify your identity.

The Problem DANE Solves: The CA Problem

The standard way of verifying an SSL certificate relies on a hierarchical chain of trust. Your browser trusts a set of root CAs, and any certificate signed by one of them (or an intermediary they trust) is considered valid. This has two main weaknesses:

  • A Single Point of Failure: If any single one of the hundreds of trusted CAs is compromised, an attacker can issue a fraudulent certificate for any domain, and browsers will trust it.
  • Lack of Domain Owner Control: As a domain owner, you have no direct way to tell browsers which CAs are authorized to issue certificates for your domain.

DANE addresses this by moving the trust anchor from the CA system to the DNS system, which is secured by DNSSEC.

Prerequisite: DNSSEC

DANE is entirely dependent on DNSSEC. Without DNSSEC, DNS records can be easily spoofed, making any information in them untrustworthy. DNSSEC provides cryptographic assurance that the DNS records you receive are authentic and have not been tampered with.

How DANE Works: The TLSA Record

DANE works by introducing a new DNS record type: the TLSA (TLS Association) record. This record is published for the domain and port you want to secure (e.g., `_443._tcp.www.example.com`).

A TLSA record contains four key pieces of information:

1. Certificate Usage Field

Specifies what kind of certificate the record applies to. For example, it can specify a particular CA that is allowed to issue certs, or it can point directly to the end-entity certificate.

2. Selector Field

Indicates whether the record refers to the full certificate or just its public key.

3. Matching Type Field

Defines how the certificate data is presented—either the exact data or a SHA-256/SHA-512 hash of it.

4. Certificate Association Data

The actual data (or its hash) that the client will compare against the server's presented certificate.

The Validation Process with DANE

  1. A DANE-aware client wants to connect to `https://www.example.com`.
  2. It first performs a DNS lookup for the TLSA record for `_443._tcp.www.example.com`. It uses DNSSEC to validate that the response is authentic.
  3. The client initiates the TLS handshake with the server and receives its SSL certificate.
  4. The client then compares the received certificate against the rules and data specified in the TLSA record.
  5. If they match, the connection is trusted. If they don't, the connection is terminated, even if a trusted CA signed the certificate.

Advantages and Disadvantages of DANE

Advantages

  • Reduces CA Dependency: Allows domain owners to specify which CAs are valid or even bypass the CA system entirely by pinning their own self-signed certificate.
  • Resilience to CA Compromise: An attacker with a fraudulent certificate from a compromised CA would be blocked if it doesn't match the DANE record.
  • Centralized Trust Management: Puts certificate trust information in the DNS, a system already managed by the domain owner.

Disadvantages

  • DNSSEC Requirement: DNSSEC adoption is still not universal. Without it, DANE is insecure.
  • Limited Client Support: While support is growing in email servers (SMTP), browser support for DANE for HTTPS is virtually non-existent. This is its biggest hurdle.
  • Operational Complexity: Managing DNSSEC and TLSA records adds another layer of complexity for system administrators. A mistake can take your site offline.

The Future of DANE

While DANE has not taken off for web browsing (HTTPS), it has found significant traction in securing email transport. Many email servers use DANE to authenticate the TLS certificates of other mail servers, preventing MITM attacks on SMTP connections.

For the web, technologies like Certificate Transparency (CT) and Certificate Authority Authorization (CAA) have been more successful because they work within the existing CA ecosystem and have broad client support. However, DANE remains a powerful and interesting protocol that could see wider use if browser vendors decide to support it in the future.

Master Your DNS Security

While DANE adoption for web is low, securing your DNS is more important than ever. CertNotify's DNS monitoring tools help you keep track of critical records, and our Learning Center provides guides on essential technologies like DNSSEC and CAA records.

Learn About DNSSEC →