Oct 11 – 13, 2014
Hyatt Regency Century Plaza
US/Pacific timezone

A Survey of Current DANE/TLSA Deployment

Oct 12, 2014, 2:00 PM
Westside (Hyatt Regency Century Plaza)


Hyatt Regency Century Plaza

2025 Avenue of the Stars Los Angeles California 90067 USA
Public Workshop Sunday Workshop (Public)


Liang Zhu (USC/Information Sciences Institute)


As adoption of DNS Security Extensions (DNSSEC) grows, DNS-based Authentication of Named Entities (DANE) provides an alternative to traditional CA-based certificate authentication. The DANE TLSA protocol specification was published in 2012. It's generally unknown to the DNS community how widely DANE TLSA has been deployed and how TLSA records are used. In this talk, we present a survey of current deployment of DANE TLSA. We developed PryDane, a tool for actively probing names possibly having TLSA records validating those records with the server certificates. Based on the data we collected, we conclude that DANE TLSA is not widely deployed at this time. Our probing data shows the most common (>80%) usage of TLSA record is: domain-issued cert matching full cert with SHA-256. Our validation results show there are consistently about 7%-10% of DANE-enabled names having invalid TLSA records. We explored the reasons for these mismatches, such as wrong certs and incorrect parameters in TLSA records.

Primary author

Liang Zhu (USC/Information Sciences Institute)


Duane Wessels (Verisign)

Presentation materials