Establishing DANE TLSA Deployment Levels Among Swedish Second Level Domains

Abstract: Domain Based Authentication of Named Entities (DANE) is an Internet Engineering Task Force (IETF) standard released in 2012 intended to complement or in some cases replace the current Public Key Infrastructure (PKI) model. The current PKI model uses Transport Layer Security (TLS) certificates issued by Certificate Authorities (CA) binding domain names to public key. These CAs act as trust anchors during the certificate validation process. Web browsers and other TLS supported applications have large lists of trusted CA public keys. If one of these trusted CAs are compromised the whole system is compromised. DANE uses the Domain Name System (DNS) to publish TLS certificate information and create certificate associations to domain names. DANE relies on DNS Security Extensions (DNSSEC) for authentication and message integrity. Using the DNS root as a single trust anchor instead of the many CA trust anchors the attack surface is drastically reduced.In this study a quantitative survey among Swedish DNSSEC signed Second Level Domains (SLD) is performed with the aim to establish the DANE TLSA deployment level among the SLDs in Top Level Domain (TLD) .se.The results show that 686 471 of the Swedish SLDs have been DNSSEC signed which is approximately 49% of all Swedish SLDs. The number of domains that have deployed DANE is very low, with only 79 SLD found to have DANE TLSA resource records in DNS. The total number of DANE TLSA resource records were 175 and the most common service used with DANE TLSA was HTTPS on port 443 which was 62% of all DANE TLSA resource records found. The most common certificate usage field setting was three, domain issued certificates.