License Portal
Deutsch

Using DANE/TLSA

Category: DNS E-Mail
Created: 2015-07-21
Updated: 2022-09-14

DNS-based Authentication of Named Entities (DANE) is a network protocol that is used to secure data traffic (see Wikipedia). In simple terms, a checksum of the TLS certificate that secures the connection to a service (e-mail, website) is stored in the DNS for this purpose. Since DNSSEC is a prerequisite for DANE, it can be ruled out that, for example, a TLS certificate is “slipped in” by a compromised issuer.

In particular, DANE/TLSA enables reliably protected communication between mail servers. Unlike the practically closed system “E-Mail made in Germany”, DANE is an open and standardized protocol (RFC6698).

As of version 1.9.0, LiveConfig supports the use of DANE:

  • Creation of TLSA records
  • Activation of DANE for the SMTP server (Postfix)

DANE/TLSA for outgoing emails

To use DANE for sending emails, your server must provide Postfix in at least version 2.11 (for example, Debian 8 or later). You must also use only DNSSEC-enabled DNS resolvers (file /etc/resolv.conf). For tests, you can use the Google resolver at the IP 8.8.8.8 - otherwise ask your provider whether or at which IPs it provides DNSSEC resolvers. Then activate the DANE/TLSA option under Server ManagementMail. That’s it.

DANE/TLSA for incoming mail

To use DANE/TLSA for incoming mail, all domains involved must be signed with DNSSEC, as well as the domain with the hostname of the MX record. For example, if you want to enable DANE/TLSA for the domain example.test and it contains the host mail.example.org as the MX, then DNSSEC must be set up for both example.test and example.org.

You must also create a TLSA resource record for the MX. So in the example just given, that would be a TLSA record for the hostname _25._tcp.mail.example.org. You can view the required hash value using our SSL check. We recommend using the hash value over the public key - the TLSA selector is then 3 1 1.

Example

TLSA is to be activated for the domain liveconfig.com. As mail server (MX) mail.keppler-it.de is used. The necessary steps are therefore:

  • activate DNSSEC for the domain liveconfig.com
  • activate DNSSEC for the domain keppler-it.de (because this domain hosts the MX record)
  • for SMTP create the TLSA record _25._tcp.mail.keppler-it.de (with the hash of the TLS certificate from the mail server)