Comcast has announced that it’s piloting outbound DANE with selected domains, as of the end of July 2017.
Back in 2015, they added TLSA records to the ‘comcast.net’ domain to allow external senders to authenticate the digital certificates presented by its MTAs, and this pilot will allow them to do the same for their traffic destined for other sites. The aim is to gain experience with this, with the plan being to eventually remove all restrictions and attempt DANE authentication for all destination domains.
DANE addresses one of the inherent weaknesses of digital certificates being issued by third-party Certificate Authorities (CAs), by allowing certificates to be cryptographically bound to DNS names. This is achieved by adding TLSA records to a DNSSEC-signed zone in the DNS, thereby allowing hosts to be validated using DNSSEC.
This is significant development from one of the major network operators that should encourage increased deployment of both DANE and DNSSEC.
And if you’re interested in deploying DANE, then you’d be well advised to read our two-part guide on how we did it in the Go6Lab.