2014/06/16/practical-guide-dns-based-authentication-named-entities-dane/

[utterances-bot]

Protecting your website with DNS-Based Authentication of Named Entities (DANE) - Edge Cloud

DNS-based Authentication of Named Entities (DANE, RFC6698) allow X.509 certificates, commonly used for Transport Layer Security (TLS), to be bound to DNS names using Domain Name System Security Extensions (DNSSEC). DNSSEC assures users that the information they obtain from DNS - in this case the fingerprint of the X.509 certificate came from the correct source, was complete and its integrity was not compromised during the transfer.

https://www.edge-cloud.net/2014/06/16/practical-guide-dns-based-authentication-named-entities-dane/

[GwynethLlewelyn]

I know that this article is Ancient News™. However, it happens to be quite accurate overall — even 11 years later — and, as such, it's worth adding just the tiniest details to get it working again.

The good news:

• Cloudflare now fully supports DNSSEC, TLSA records, and much more. You can safely go ahead and totally protect your website using the 'experimental' tags — Cloudflare now supports almost all of them (I'm still waiting for OPENPGPKEY....).
• Amazingly, the TLSA Record generator from Shumon Huque is still fully operational (!). In this age and era of link rot, it's awesome to see that Huque's an exception to the rule. It's still my favourite generator — so easy to use, and it never fails to provide the correct information. Oh, it has a few tiny bugs here and there, but, really, it's still the best one around.

The not-so-good news:

• Sadly, NIC.CZ was forced to discontinue their amazing plugin. This was mostly due to increasing levels of complexity to keep up with the constant changes in plugin support by browser vendors. On the other hand, there are a few plugins listed on the Chrome Web store… which do not work as well as they should (some are browser-native, some use an external tool to do the checking, some use a third-party service to get the information), but it's a start!
• For Firefox, there is a DNSSEC extension by Antoine Popineau which does a nice job — with an oddity! By default, it uses Cloudflare's 1.1.1.1 resolver. However (and this is mentioned in the instructions!), that one will not detect DNSSEC for domains hosted on Cloudflare! (weird, but true) Popineau's extension allows, on the extension preferences, to switch to Google's own 8.8.8.8 instead — which will correctly flag domains on Cloudflare!