Microsoft will add DNSSEC and DNS-based Authentication of Named Entities (DANE) to its email systems by the end of the year, the software giant has announced. That’ll be a big thumbs up for the pair of internet security technologies. “Today we are announcing that Exchange Online will be adding support for two new Internet standards
Microsoft will add DNSSEC and DNS-based Authentication of Named Entities (DANE) to its email systems by the end of the year, the software giant has announced. That’ll be a big thumbs up for the pair of internet security technologies.
“Today we are announcing that Exchange Online will be adding support for two new Internet standards specific to SMTP traffic. These standards are DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities),” announced a Redmond blog post.
The DANE protocol has been around for years. The German government mandated its use in 2016, for instance. However, take-up has been slow in much the same way that the related DNSSEC protocol has taken a long time to take hold, and with how the IPv6 protocol is still lagging.
Implementing the protocol requires a significant investment of time and effort, not least because misconfigurations can cause it to fail. Microsoft noted that adding DANE “will require investment and architecture changes to the Microsoft infrastructure.” It has decided it is worth it though, largely because existing protocols aren’t sufficiently secure. The ubiquitous SMTP email protocol “was designed a long time ago, when message delivery was considered more important than security,” its post notes.
Salesforce takes the multi-signer DNSSEC ball and runs with it
SMTP is not secure, and while SMTP over TLS offers additional security through encryption, it is still potentially vulnerable: a miscreant on the network path can insert a server between you and the SMTP server you wish to reach, with this in-between machine masquerading as the legit service. This man-in-the-middle attack effectively strips out the encryption, and allows the content of messages to be snooped on as they flow from you, through the middle box, to the desired destination.
DANE, however, allows email systems to authenticate other SMTP gateways before sending any message data, by using TLSA DNS resource records. These records can be used to verify a TLS encryption certificate presented by a server is legit. If someone tries to man-in-the-middle your connection by impersonating an SMTP server, its malicious certificate won’t match the specifications in the server’s domain name’s DNS records, which specify what a legit cert should look like, and thus the connection can be aborted.
Here’s Microsoft’s explanation: “DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.”
Basically it’s secure email and Microsoft will be adding it to Office 365 Exchange Online.
Highlighting the difficulty of rolling out DANE across a large system however, the Windows giant will be rolling it out in two phases. The first phase, to be completed by the end of 2020, will cover outbound email, and then the IT titan is giving itself another year, the end of 2021, to cover inbound email.
The announcement was met with something bordering close to joy by DANE advocates. “Welcome to the DANE SMTP community, congratulations and thanks!,” commented Viktor Dukhovni, one of the originators of the protocol who started work on it back in 2013 and has been pushing for its adoption for years.
“If this comes to pass, we’ll all owe Viktor a beer,” commented internet veteran Paul Vixie. “I can’t easily describe what this could mean for the future of internet security. Real lived security, not the theatrical kind. Viktor had been almost like a one man band on this.”
Although there are quite a few email providers that offer DANE – Comcast perhaps being the largest – the addition of Microsoft to the list could prove to be a tipping point for the industry. But, as ever, with DNS protocols, it is a slow-moving process because there’s little point in adopting a new protocol until everyone else has – a chicken-and-egg situation.
DANE rides on top of DNSSEC and requires domains to be DNSSEC-signed to work. Fortunately more and more domains do include DNSSEC, but the problem then becomes in deciding what to do with emails to and from domains that aren’t signed. And then there are the endless misconfigurations that exist everywhere on the network.
With a giant like Microsoft saying it will adopt DANE, it provides an impetus to others to also take the jump and sign their domains as well as check their configurations. ®