Category Archives: dane

DANE missed the boat

This article represents my personal views

What problem does DANE try to solve ?

DANE wants to be an alternative model for validating domain names with TLS, by moving some of the security check inside the DNS. However, it does not work with plain DNS, it needs DNSSEC as the underlying protocol. The perceived advantage is that it prevents people from issuing rogue certs, unlike the current CA model.

First, let's look at DNSSEC

DNSSEC suffers from a number of issues. One is the complexity of protocol, and deep learning curve. Second is the deployment of DNSSEC. It enjoys a lot of support from ICANN & the RIRs, but comparatively little from the commercial world. Neither ebay.com nor alibaba.com, 2 of the major e-commerce websites in the world. Lastly, the problem that NONE of the Internet Organizations want to talk about is security at the edge. DNSSEC-aware resolvers in CPE equipment are NOT available in 2015. The most popular DNS software for CPE equipment still has a WiP implementation of DNSSEC, which still has some bugs, causing valid DNSSEC signatures to fail. [I have other points on DNSSEC, but I will expand it in another blog post] Good Luck finding an off-the-shelf modem that can do correct DNSSEC for your grandparents.

DANE's history with the commercial world

Despite the issues with the underlying DNSSEC protocol, DANE still managed to gain some support from the commercial world. In my humble opinion, the greatest opportunity came from Google, when it implemented DANE in Google Chrome. That was the right opportunity to solve the massive deployment of DANE (and DNSSEC in the process). However, a number of issues complicated the implementation of DANE: The size of DNSSEC messages caused issues at the edge of the internet. It also introduced additional latency, due to the complex nature of DNSSEC validation process. Google later took the hard decision to remove DANE from Google Chrome. None of the DANE or DNSSEC WG at the IETF addressed those issues. DANE support, enabled by default , is NOT happening in any Google product which are flooding the market. It is available as a plugin. But will your grandmother download a DANE plugin when she downloads Google ? Experience suggests very few grandmothers would do that.

Conclusion

DANE missed the boat when the DANE & DNSSEC community failed to address the implementation issues that Google was facing. It was the golden train, and DANE missed it. Other solutions which were easier to implement and deploy filled that gap. It's very likely that DANE's adoption both on the server and client side will remain small.