* WGs marked with an * asterisk has had at least one new draft made available during the last 5 days

Dane Status Pages

DNS-based Authentication of Named Entities (Concluded WG)
Sec Area: Roman Danyliw, Benjamin Kaduk | 2010-Dec-12 — 2017-Mar-21 

2017-02-16 charter

DNS-based Authentication of Named Entities (dane)


 Current Status: Active

     Ólafur Guðmundsson <ogud@ogud.com>
     Warren Kumari <warren@kumari.net>

 Security Area Directors:
     Stephen Farrell <stephen.farrell@cs.tcd.ie>
     Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>

 Security Area Advisor:
     Stephen Farrell <stephen.farrell@cs.tcd.ie>

     Matt Lepinski <mlepinski.ietf@gmail.com>

 Mailing Lists:
     General Discussion: dane@ietf.org
     To Subscribe:       https://www.ietf.org/mailman/listinfo/dane
     Archive:            https://mailarchive.ietf.org/arch/browse/dane/

Description of Working Group:

  DANE is a set of mechanisms and techniques that allow Internet
  applications to establish cryptographically secured communications
  by using information made available in DNS. By binding the key
  information to a domain name and protecting that binding with
  DNSSEC, applications can easily discover authenticated keys for


      The DANE WG will specify how to incorporate DANE and DANE-like
      functionality into protocols. The WG will specify the use of DANE
      for protocols that use SRV to express service location. The WG will
      specify DANE use for SMTP, SMIME, OPENPGP, IPSEC and
      other base electronic mail protocols such as (IMAP or POP). The
      DANE WG shall also produce a set of implementation guidance
      for operators and tool developers.

      When work on currently chartered documents is complete the WG
      may re-charter if sufficiently pressing new work is identified.

      DANE is not intended to be a long-lived catch-all WG for all
      public key distribution in DNS issues and so will generally not
      adopt new work items without re-chartering.

  Problem Statement:

      The DANE working group has developed a framework for securely
      retrieving keying information from the DNS [RFC6698]. This
      framework allows secure storing and looking up server public key
      information in the DNS. This provides a binding between a domain
      name providing a particular service and the key that can be used
      to establish encrypted connection to that service.

      By requiring DNSSEC protection for the lookup of the public key
      information, DANE leverages the integrity protection provided by
      DNSSEC to enable secure discovery of keying information. Operators
      wanting to take advantage of DANE for their services must turn on
      DNSSEC signing on the zones used in finding the services. Using
      DNS this way, bindings of keys to domains are asserted by the
      entities that operate the DNS for that domain, not by external

      The DANE mechanisms provide flexibility in how the keying
      information is presented. DANE supports both Certificates and raw
      keys. Furthermore, the keys (raw or imbedded in certificates) can be
      full keys or a hashes of keys.
      The group will work on documenting the different approaches to use
      DANE keying, and the security implication of each. In addition
      the WG may develop a framework(s) to facilitate the lookup "client"
      DANE records for authorization/authentication purposes.

      The group may also create documents that describe how protocol
      entities can discover and validate these bindings in the execution
      of specific applications. This work would be done in coordination
      with the IETF Working Groups responsible for the protocols.

      The group may in addition encourage interoperability testing and
      document the results of such testing.

Goals and Milestones:
  Done     - Advance DANE SRV document to IESG
  Done     - Advance DANE SMTP document to IESG
  Done     - Advance DANE OPENPGP document to IESG
  Aug 2015 - Advance DANE operational guidance/errata document to IESG
  Sep 2015 - Advance DANE SMIME document to IESG
  Dec 2015 - Advance DANE IPSEC document to IESG
  Dec 2015 - Advance DANE reverse binding (server to client) document to IESG
  Oct 2016 - Recharter or close down

All charter page changes, including changes to draft-list, rfc-list and milestones:

Generated from PyHt script /wg/dane/charters.pyht Latest update: 24 Oct 2012 16:51 GMT -