Public DENIC mailinglist

[DENIC Presse <presse AT denic.de>]

*PRESS RELEASE*

DENIC eG implements secure and confidential e-mail communication based on 
DANE and DNSSEC

--------------------------------------------------------------------------------------------------------------------------------------------

Dear Sir or Madam,

DENIC eG is among the early adopters who have implemented the technology 
labelled DANE with the objective to secure e-mail communication. Having 
been developed by the Internet Engineering Task Force (IETF) as an open 
standard, DANE is a powerful tool to encrypt data traffic between mail 
servers and to verify the identity of the involved servers, in a reliable 
manner.

DANE interlinks conventional certificates (a sort of electronic “identity 
cards”) with the Internet’s “directory service”, the Domain Name System 
(DNS). The e-mail transport encryption enabled by DANE and based on the 
security extensions DNSSEC effectively eliminates the risk of e-mails or 
messages being redirected or intercepted, as a result of man-in-the-middle 
interference. DANE for e-mail is an essential step towards securing 
Internet communications end-to-end for everyone.

The .DE top level domain has been signed with DNSSEC since 2011 already, 
when DENIC established one of the fundamental bases paving the way for the 
practical use of DANE, in Germany. For more details on how DNSSEC can be 
implemented technically, domain holders are referred to their Internet 
service providers.

-------------------------------

About DANE
DANE (DNS-Based Authentication of Named Entities) is described in RFC 
6698, a specification issued by the Internet Engineering Task Force 
(IETF). Using DANE enables so-called X.509 certificates to be stored in 
the Domain Name System (DNS). The purpose of X.509 certificates is to 
confirm the identity of a webserver (or other systems). Linking 
certificates to the DNS creates a number of new options:

1.      By publishing a root certificate, the server operator can state 
which Certificate Authority (CA) he relies on, thus which organization is 
authorized to issue digital certificates for his servers. In case another 
CA issues such certificate either maliciously or as a result of a 
manipulation of its systems, but without the operator’s express consent, 
the Internet user will be alerted accordingly.

2.      Where self-signed certificates are used, with no CA services 
involved, a second channel is established by the certificate being 
publication via the DNS. This enables the application to validate and 
accept such certificate.

3.      Additionally, DANE allows using different certificates (and 
thereby different cryptographic parameters) for services which can be 
accessed via the same host name (such as mail, web or instant messaging).

Currently DANE is used, particularly in Germany, to control encrypted 
communication between mail servers. Further applications are presently 
undergoing standardization procedures within the IETF. Among the 
applications currently being extended using DANE are end-to-end encryption 
and digital signing based on the S/MIME process.

About DNSSEC
The Domain Name System (DNS) as it was originally designed does not 
provide for any authentication of the distributed information. 
Communication between name servers and Internet applications (such as web 
browsers or VoIP phones) is not completely safe against third-party 
tampering. Over the past years, various attack scenarios have been 
described, which keep being refined by attackers. By adding digital 
signatures to the DNS, DNSSEC (short for DNS Security) helps protecting 
DNS data. These signatures make sure that responses to application 
requests are identical to the data published by the responsible DNS 
administrator, in their name servers. The root of the DNS hierarchy has 
been DNSSEC secured since 2010, with the .DE domain managed by DENIC 
following up in 2011.


Kind regards

Stefanie Welters
Public Relations Officer
-- 

DENIC eG
Kaiserstraße 75-77
60329 Frankfurt am Main
GERMANY

E-Mail: presse AT denic.de
Fon: +49 69 27235-274 
Fax: +49 69 27235-235
http://www.denic.de

Angaben nach § 25a Absatz 1 GenG:
DENIC eG (Sitz: Frankfurt am Main)
Vorstand: Helga Krüger, Andreas Musielak, Carsten Schiefner, Dr. Jörg 
Schweiger
Vorsitzender des Aufsichtsrats: Thomas Keller
Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht 
Frankfurt am Main

____________________________________
Mailinglist-Managenment:
http://mailinglists.denic.de/mailman/listinfo/public-l