Measuring DANE TLSA Deployment

Zhu, Liang and Wessels, Duane and Mankin, Allison and Heidemann, John
USC/Information Sciences Institute


Liang Zhu, Duane Wessels, Allison Mankin and John Heidemann 2014. Measuring DANE TLSA Deployment. Presentation at DNS-OARC Fall Workshop. [PDF]


As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It’s generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of current deployment of DANE TLSA. We developed PryDane, a tool for actively probing names possibly having TLSA records validating those records with the server certificates. Based on the data we collected, we conclude that DANE TLSA is not widely deployed at this time. Our probing data shows the most common (more than 80%) usage of TLSA record is: domain-issued cert matching full cert with SHA-256. Our validation results show there are consistently about 7%–10% of DANE-enabled names having invalid TLSA records. We explored the reasons for these mismatches, such as wrong certs and incorrect parameters in TLSA records.


  author = {Zhu, Liang and Wessels, Duane and Mankin, Allison and Heidemann, John},
  title = {Measuring {DANE} {TLSA} Deployment},
  howpublished = {Presentation at DNS-OARC Fall Workshop},
  address = {Los Angeles, California, USA},
  month = oct,
  year = {2014},
  sortdate = {2014-10-01},
  jlocation = {johnh: pafile},
  keywords = {DANE TLSA, DNS, PKI},
  url = {},
  pdfurl = {},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors},
  project = {ant, lacrend, tdns},
  blogurl = {}