General How-to

DNSSEC: Beware during algorithm transitions

DNSSEC is cool. It easily adds security to probably the most important enabling protocol in today’s Internet: No web pages could be found, email delivered, or instant message received, without the Domain Name System (DNS). DNSSEC also enables DANE, a step forward for certificates for most applications. Sometimes you want to change a few settings. […]


DANE: The CA game changer

Securing the Internet is important. However, many design decisions are broken: For example, encrypted web pages are considered less secure than unencrypted pages, even outright dangerous, unless you regularly pay a lot of money to certificate authorities, which have shown to make the Internet less secure. The new kid on the block, DANE (DNS-based Authentication […]


How to create DNSsec DANE TLSA entries

Rationale One of the most promising features for DNSsec is the ability to tell a client which certificate to expect when connecting via Transport Layer Security (TLS). RFC 6698 specifies how TLS Authentication information can be put into DNSsec. So when you ask for the IP address of the server, you can simultaneously obtain the information which […]