DNS-based Authentication of Named Entities (dane)

Last modified: 2017-03-21


Security Area (sec) Area Director:


Mailing Lists:

General Discussion: dane@ietf.org
To Subscribe: https://www.ietf.org/mailman/listinfo/dane
Archive: https://mailarchive.ietf.org/arch/browse/dane/

Charter for Working Group:

DANE is a set of mechanisms and techniques that allow Internet applications to establish cryptographically secured communications by using information made available in DNS. By binding the key information to a domain name and protecting that binding with DNSSEC, applications can easily discover authenticated keys for services.


The DANE WG will specify how to incorporate DANE and DANE-like functionality into protocols. The WG will specify the use of DANE  for protocols that use SRV to express service location. The WG will specify DANE use for SMTP, SMIME, OPENPGP, IPSEC and other base electronic mail protocols such as (IMAP or POP). The DANE WG shall also produce a set of implementation guidance for operators and tool developers.

When work on currently chartered documents is complete the WG may re-charter if sufficiently pressing new work is identified.

DANE is not intended to be a long-lived catch-all WG for all public key distribution in DNS issues and so will generally not adopt new work items without re-chartering.

Problem Statement:

The DANE working group has developed a framework for securely retrieving keying information from the DNS [RFC6698]. This framework allows secure storing and looking up server public key information in the DNS. This provides a binding between a domain name providing a particular service and the key that can be used to establish encrypted connection to that service.

By requiring DNSSEC protection for the lookup of the public key information, DANE leverages the integrity protection provided by DNSSEC to enable secure discovery of keying information. Operators wanting to take advantage of DANE for their services must turn on DNSSEC signing on the zones used in finding the services. Using DNS this way, bindings of keys to domains are asserted by the entities that operate the DNS for that domain, not by external entities.

The DANE mechanisms provide flexibility in how the keying information is presented. DANE supports both Certificates and raw keys. Furthermore, the keys (raw or imbedded in certificates) can be full keys or a hashes of keys. The group will work on documenting the different approaches to use DANE keying, and the security implication of each. In addition the WG may develop a framework(s) to facilitate the lookup "client"  DANE records for authorization/authentication purposes.

The group may also create documents that describe how protocol entities can discover and validate these bindings in the execution of specific applications. This work would be done in coordination with the IETF Working Groups responsible for the protocols.

The group may in addition encourage interoperability testing and document the results of such testing.


Oct 2016 Recharter or close down
Dec 2015 Advance DANE reverse binding (server to client) document to IESG
Dec 2015 Advance DANE IPSEC document to IESG
Sep 2015 Advance DANE SMIME document to IESG
Aug 2015 Advance DANE operational guidance/errata document to IESG
Done Advance DANE OPENPGP document to IESG
Done Advance DANE SMTP document to IESG
Done Advance DANE SRV document to IESG


Request for Comments:



Internet SocietyAMSHome - Tools Team - Datatracker - IASA - IAB - RFC Editor - IANA - IRTF - IETF Trust - ISOC - IETF Journal - Store - Contact Us
Secretariat services provided by Association Management Solutions, LLC (AMS).
Please send problem reports to: ietf-action@ietf.org.