Press Release | 23.10.2014

DENIC implements secure and confidential e-mail communication based on DANE and DNSSEC

The .DE registry and managing organization, DENIC, is among the early adopters who have implemented the technology labelled DANE with the objective to secure e-mail communication. Having been developed by the Internet Engineering Task Force (IETF) as an open standard, DANE is a powerful tool to encrypt data traffic between mail servers and to verify the identity of the involved servers, in a reliable manner.

DANE interlinks conventional certificates (a sort of electronic “identity cards”) with the Internet’s “directory service”, the Domain Name System (DNS). The e-mail transport encryption enabled by DANE and based on the security extensions DNSSEC effectively eliminates the risk of e-mails or messages being redirected or intercepted, as a result of man-in-the-middle interference. DANE for e-mail is an essential step towards securing Internet communications end-to-end for everyone.

The .DE top level domain has been signed with DNSSEC since 2011 already, when DENIC established one of the fundamental bases paving the way for the practical use of DANE, in Germany. For more details on how DNSSEC can be implemented technically, domain holders are referred to their Internet service providers.


Background Information

About DANE


DANE (DNS-Based Authentication of Named Entities) is described in RFC 6698, a specification issued by the Internet Engineering Task Force (IETF). Using DANE enables so-called X.509 certificates to be stored in the Domain Name System (DNS). The purpose of X.509 certificates is to confirm the identity of a webserver (or other systems). Linking certificates to the DNS creates a number of new options:

  1. By publishing a root certificate, the server operator can state which Certificate Authority (CA) he relies on, thus which organization is authorized to issue digital certificates for his servers. In case another CA issues such certificate either maliciously or as a result of a manipulation of its systems, but without the operator’s express consent, the Internet user will be alerted accordingly.
  2. Where self-signed certificates are used, with no CA services involved, a second channel is established by the certificate being publication via the DNS. This enables the application to validate and accept such certificate.
  3. Additionally, DANE allows using different certificates (and thereby different cryptographic parameters) for services which can be accessed via the same host name (such as mail, web or instant messaging).

Currently DANE is used, particularly in Germany, to control encrypted communication between mail servers. Further applications are presently undergoing standardization procedures within the IETF. Among the applications currently being extended using DANE are end-to-end encryption and digital signing based on the S/MIME process.

About DNSSEC

The Domain Name System (DNS) as it was originally designed does not provide for any authentication of the distributed information. Communication between name servers and Internet applications (such as web browsers or VoIP phones) is not completely safe against third-party tampering. Over the past years, various attack scenarios have been described, which keep being refined by attackers. By adding digital signatures to the DNS, DNSSEC (short for DNS Security) helps protecting DNS data. These signatures make sure that responses to application requests are identical to the data published by the responsible DNS administrator, in their name servers. The root of the DNS hierarchy has been DNSSEC secured since 2010, with the .DE domain managed by DENIC following up in 2011.