DANE (DNS-Based Authentication of Named Entities)

DANE is a security protocol (RFC 6698) that uses [[dnssec|DNSSEC]]-signed TLSA DNS records to bind cryptographic certificates to domain names, providing an alternative or supplement to the traditional certificate authority (CA) trust model. With DANE, a domain administrator publishes a TLSA record specifying which [[ssl-tls|TLS certificate]] or CA is authorized for their domain. Mail servers and clients that support DANE can then verify that a server's certificate matches the TLSA record, dramatically reducing the risk of attacks enabled by misissued CA certificates. DANE requires DNSSEC to be deployed end-to-end, as TLSA records without DNSSEC signatures can be forged.