DANE has 4 modes of operation indexed 0-3 with mode 3 i.e. Domain issued certificate
allowing for self-signed certificates. Can this mode be used in a trustable manner? and if so does that mean that traditional Certificate Authorities and their chain of trust can be made obsolete/redundant?, however still relying on the chain of trust in DNSSEC.
My understanding is that it would as long as a domain owner can prove ownership of a public key to their domain registrar/domain hosting service, in which case the domain registrar/domain hosting service will allow for the domain owner to enable DANE in mode 3 by allowing for the TLSA RR to be modified with for example a hash of the public key that the domain registrar just validated ownership off by the domain owner.
However this assumes that the domain registrar/domain hosting service does authenticity/validity checks on DNS Resource Records(in this case particularly the TLSA RR) in much the same way a CA would validate ownership of a public key, is this the case or can a domain owners specify any data to populate their TLSA records regardless of ownership?
DANE can be used with self-signed certificates, and DNSSEC provides a PKI based on another hierarchy. Currently SMTP is the most practical use case for DANE
TLSA
records: As email doesn't care for CA based PKI for backwards compatibility, DANE is the solution to declare TLS encryption mandatory, and also to define which certificates to accept, whether signed by a CA or not.However, it's better to use a valid, CA signed certificate for many reasons:
The second paragraph has a misunderstanding: the registrar doesn't validate any of this. You are free to publish the fingerprints on DNS and the SMTP client (DANE enabled mail server) performs the validation.