DNSSECTLSAbased - Infinite Lexicon - Infinite Lexicon

DNSSECTLSAbased

DNSSECTLSAbased refers to the use of DNSSEC-protected TLSA records to authenticate TLS connections, a concept commonly known as DANE (DNS-Based Authentication of Named Entities). In this approach, a domain publishes TLSA records in the DNS to indicate which TLS certificates or public keys should be trusted for a given service, such as a website or mail server. The DNS records themselves are secured by DNSSEC, providing an authenticated chain of trust from the domain’s DNS zone to the service.

How it works: When a client connects to a TLS service, it can perform a DNS query

Use cases and limitations: DNSSECTLSAbased deployments are most discussed for securing SMTP/TLS (DANE for mail) and

See also: DNSSEC, TLSA, DANE, RFC 6698.

_443._tcp.example.com).

A

a

a

Misconfigurations