Deploy360 Domain Name System Security Extensions (DNSSEC) Improving Technical Security

Using DNSSEC to improve S/MIME security

RFC 8162 “Using Secure DNS to Associate Certificates with Domain Names for S/MIME” was published a couple of months ago. This seems to have gone a bit unnoticed, but defines an experimental protocol for verifying digital certificates associated with S/MIME messages in a similar manner to what DANE does for TLS.

S/MIME encoded messages often contain a digital certificate that authenticates the sender of the message and can be used for encrypting replies. However, in order for the receiver of the message to verify that the certificate belongs to the sender, their mail user agent also needs to be able to validate the trust anchor from where the certificate is derived. Trust anchors are often distributed with operating systems or are installed by users, but this relies on the integrity of these processes and the third-parties issuing the trust anchor.

RFC 8162 therefore defines a new DNS Resource Record (RR) type called SMIMEA that can be used by a domain owner to associate a certificate or public key with an e-mail address, thereby forming an SMIMEA certificate association. This association may be an end entity, intermediate or trust anchor certificate, and allows an application or service to lookup and verify a certificate or public key in the DNS.

Of course, a DNS zone containing SMIMEA records also needs to be DNSSEC-signed, and the DNS response should be correctly validated. All the more reason to be deploying DNSSEC, so please check out our Start Here page to find out how to get started!