[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 RFC 6698

Network Working Group                                         P. Hoffman
Internet-Draft                                            VPN Consortium
Intended status: Standards Track                             J. Schlyter
Expires: September 1, 2012                                      Kirei AB
                                                       February 29, 2012


   The DNS-Based Authentication of Named Entities (DANE) Protocol for
                     Transport Layer Security (TLS)
                      draft-ietf-dane-protocol-17

Abstract

   Encrypted communication on the Internet often uses Transport Level
   Security (TLS), which depends on third parties to certify the keys
   used.  This document improves on that situation by enabling the
   administrator of a domain name to certify the keys used in that
   domain's TLS servers.  This requires matching improvements in TLS
   client software, but no change in TLS server software.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 1, 2012.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Hoffman & Schlyter      Expires September 1, 2012               [Page 1]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
     1.1.  Background of the Problem  . . . . . . . . . . . . . . . .  4
     1.2.  Securing the Association with a Server's Certificate . . .  5
     1.3.  Method For Securing Certificate Associations . . . . . . .  6
     1.4.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  6
   2.  The TLSA Resource Record . . . . . . . . . . . . . . . . . . .  7
     2.1.  TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . .  7
       2.1.1.  The Certificate Usage Field  . . . . . . . . . . . . .  7
       2.1.2.  The Selector Field . . . . . . . . . . . . . . . . . .  8
       2.1.3.  The Matching Type Field  . . . . . . . . . . . . . . .  9
       2.1.4.  The Certificate Association Data Field . . . . . . . .  9
     2.2.  TLSA RR Presentation Format  . . . . . . . . . . . . . . .  9
     2.3.  TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 10
   3.  Domain Names for TLS Certificate Associations  . . . . . . . . 10
   4.  Use of TLSA Records in TLS . . . . . . . . . . . . . . . . . . 11
   5.  TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 12
   6.  Mandatory-to-Implement Features  . . . . . . . . . . . . . . . 14
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 14
     7.1.  TLSA RRtype  . . . . . . . . . . . . . . . . . . . . . . . 14
     7.2.  TLSA Usages  . . . . . . . . . . . . . . . . . . . . . . . 15
     7.3.  TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 15
     7.4.  TLSA Matching Types  . . . . . . . . . . . . . . . . . . . 15
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 16
     8.1.  DNS Caching  . . . . . . . . . . . . . . . . . . . . . . . 17
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 18
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 18
     10.2. Informative References . . . . . . . . . . . . . . . . . . 19
   Appendix A.  Operational Considerations for Deploying TLSA
                Records . . . . . . . . . . . . . . . . . . . . . . . 20
     A.1.  Creating TLSA Records  . . . . . . . . . . . . . . . . . . 20
       A.1.1.  Ambiguities and Corner Cases When TLS Clients
               Build Trust Chains . . . . . . . . . . . . . . . . . . 20
       A.1.2.  Choosing a Selector Type . . . . . . . . . . . . . . . 21
     A.2.  Provisioning TLSA Records in DNS . . . . . . . . . . . . . 22
       A.2.1.  Provisioning TLSA Records with Aliases . . . . . . . . 22
     A.3.  Securing the Last Hop  . . . . . . . . . . . . . . . . . . 24
     A.4.  Handling Certificate Rollover  . . . . . . . . . . . . . . 25
   Appendix B.  Pseudocode for Using TLSA . . . . . . . . . . . . . . 26
     B.1.  Helper Functions . . . . . . . . . . . . . . . . . . . . . 26
     B.2.  Main TLSA Pseudo Code  . . . . . . . . . . . . . . . . . . 27



Hoffman & Schlyter      Expires September 1, 2012               [Page 2]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   Appendix C.  Examples  . . . . . . . . . . . . . . . . . . . . . . 29
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 31

















































Hoffman & Schlyter      Expires September 1, 2012               [Page 3]

Internet-Draft           DNS-Based Auth for TLS            February 2012


1.  Introduction

1.1.  Background of the Problem

   Applications that communicate over the Internet often need to prevent
   eavesdropping, tampering, or forgery of their communications.  The
   Transport Layer Security (TLS) protocol provides this kind of
   communications privacy over the Internet, using encryption.

   The security properties of encryption systems depend strongly on the
   keys that they use.  If secret keys are revealed, or if published
   keys can be replaced by bogus keys, these systems provide little or
   no security.

   TLS uses certificates to protect keys.  A certificate combines a
   published key with other information such as the name of the service
   that the key is used by, and this combination is digitally signed by
   another key.  Having a certificate for a key is only helpful if you
   trust the other key that signed the certificate.  If that other key
   was itself revealed or substituted, then its signature is worthless
   in proving anything about the first key.

   On the Internet, this problem has been solved for years by entities
   called "Certification Authorities" (CAs).  CAs protect their secret
   key vigorously, while supplying their public key to the software
   vendors who build TLS clients.  They then sign certificates, and
   supply those to TLS servers.  TLS client software uses a set of these
   CA keys as "trust anchors" to validate the signatures on certificates
   that the client receives from TLS servers.  Client software typically
   allows any CA to usefully sign any other certificate.

   This solution has gradually broken down because some CAs have become
   untrustworthy.  A single trusted CA that betrays its trust, either
   voluntarily or by providing less-than-vigorous protection for its
   secrets and capabilities, can compromise any other certificate that
   TLS uses by signing a replacement certificate that contains a bogus
   key.  Several real-world occurrances that have exploited such CAs for
   subversion of major web sites (presumably to abet wiretapping and
   large-scale fraud) have brought TLS's CA model into disrepute.

   The DNS Security Extensions (DNSSEC) provides a similar model that
   involves trusted keys signing the information for untrusted keys.
   However, DNSSEC provides three significant improvements.  Keys are
   tied to names in the Domain Name System (DNS), rather than to
   arbitrary identifying strings; this is more convenient for Internet
   protocols.  Signed keys for any domain are accessible online through
   a straightforward query using the standard DNSSEC protocol, so there
   is no problem distributing the signed keys.  Most significantly, the



Hoffman & Schlyter      Expires September 1, 2012               [Page 4]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   keys associated with a domain name can only be signed by a key
   associated with the parent of that domain name; for example, the keys
   for "example.com" can only be signed by the keys for "com", and the
   keys for "com" can only be signed by the DNS root.  This prevents an
   untrustworthy signer from compromising anyone's keys except those in
   their own subdomains.  Like TLS, DNSSEC relies on public keys that
   come built into the DNSSEC client software, but these keys come only
   from a single root domain rather than from a multiplicity of CAs.

1.2.  Securing the Association with a Server's Certificate

   A TLS client begins a connection by exchanging messages with a TLS
   server.  It looks up the server's name using the DNS to get Internet
   Protocol (IP) address associated with the name.  It then begins a
   connection to a client-chosen port at that address, and sends an
   initial message there.  However, the client does not yet know whether
   an adversary is intercepting and/or altering its communication before
   it reaches the TLS server.  It does not even know whether the real
   TLS server associated with that domain name has ever received its
   initial messages.

   The first response from the server in TLS may contain a certificate.
   In order for the TLS client to authenticate that it is talking to the
   expected TLS server, the client must validate that this certificate
   is associated with the domain name used by the client to get to the
   server.  Currently, the client must extract the domain name from the
   certificate and must successfully validate the certificate, including
   chaining to a trust anchor.

   There is a different way to authenticate the association of the
   server's certificate with the intended domain name without trusting
   an external CA.  Given that the DNS administrator for a domain name
   is authorized to give identifying information about the zone, it
   makes sense to allow that administrator to also make an authoritative
   binding between the domain name and a certificate that might be used
   by a host at that domain name.  The easiest way to do this is to use
   the DNS, securing the binding with DNSSEC.

   There are many use cases for such functionality.  [RFC6394] lists the
   ones that the DNS RRtype in this document are meant to apply.
   [RFC6394] also lists many requirements, most of which this document
   is believed to meet.  Section 5 covers the applicability of this
   document to the use cases in detail.

   This document applies to both TLS [RFC5246] and DTLS [RFC6347].  In
   order to make the document more readable, it mostly only talks about
   "TLS", but in all cases, it means "TLS or DTLS".  This document only
   relates to securely associating certificates for TLS and DTLS with



Hoffman & Schlyter      Expires September 1, 2012               [Page 5]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   host names; other security protocols and other forms of
   identification of TLS servers (such as IP addresses) are handled in
   other documents.  For example, keys for IPsec are covered in
   [RFC4025] and keys for SSH are covered in [RFC4255].

1.3.  Method For Securing Certificate Associations

   A certificate association is formed from a piece of information
   identifying a certificate (such as the contents of the certificate or
   a trust anchor to which the certificate chains) and the domain name
   where the data is found.  This document only applies to PKIX
   [RFC5280] certificates, not certificates of other formats.

   A DNS query can return multiple certificate associations, such as in
   the case of different server software on a single host using
   different certificates, or in the case that a server is changing from
   one certificate to another.

   This document defines a secure method to associate the certificate
   that is obtained from the TLS server with a domain name using DNS;
   the DNS information needs to be be protected by DNSSEC.  Because the
   certificate association was retrieved based on a DNS query, the
   domain name in the query is by definition associated with the
   certificate.

   DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033],
   [RFC4034], and [RFC4035]), uses cryptographic keys and digital
   signatures to provide authentication of DNS data.  Information that
   is retrieved from the DNS and that is validated using DNSSEC is
   thereby proved to be the authoritative data.  The DNSSEC signature
   MUST be validated on all responses that use DNSSEC in order to assure
   the proof of origin of the data.  This document does not specify how
   DNSSEC validation occurs because there are many different proposals
   for how a client might get validated DNSSEC results.

   This document only relates to securely getting the DNS information
   for the certificate association using DNSSEC; other secure DNS
   mechanisms are out of scope.

1.4.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   This document also makes use of standard PKIX, DNSSEC, and TLS
   terminology.  See [RFC5280], [RFC4033], and [RFC5246] respectively,
   for these terms.  In addition, terms related to TLS-protected



Hoffman & Schlyter      Expires September 1, 2012               [Page 6]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   application services and DNS names are taken from [RFC6125].


2.  The TLSA Resource Record

   The TLSA DNS resource record (RR) is used to associate a certificate
   with the domain name where the record is found.  The semantics of how
   the TLSA RR is interpreted are given later in this document.

   The type value for the TLSA RR type is TBD.

   The TLSA RR is class independent.

   The TLSA RR has no special TTL requirements.

2.1.  TLSA RDATA Wire Format

   The RDATA for a TLSA RR consists of a one octet usage type field, a
   one octet selector field, a one octet matching type field and the
   certificate association data field.

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Usage     |   Selector    | Matching Type |               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+               /
   /                                                               /
   /                 Certificate Association Data                  /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2.1.1.  The Certificate Usage Field

   A one-octet value, called "certificate usage" or just "usage",
   specifying the provided association that will be used to match the
   target certificate from the TLS handshake.  This value is defined in
   a new IANA registry (see Section 7.2) in order to make it easier to
   add additional certificate usages in the future.  The usages defined
   in this document are:

      0 -- Certificate usage 0 is used to specify a CA certificate, or
      the public key of such a certificate, that must be found in any of
      the PKIX certification paths for the end entity certificate given
      by the server in TLS.  This usage is sometimes referred to as "CA
      constraint" because it limits which CA can be used to issue
      certificates for a given host name, port, and protocol.  The
      target certificate MUST pass PKIX certification path validation
      and a CA certificate that matches the TLSA record MUST be included



Hoffman & Schlyter      Expires September 1, 2012               [Page 7]

Internet-Draft           DNS-Based Auth for TLS            February 2012


      as part of a valid certification path.

      1 -- Certificate usage 1 is used to specify an end entity
      certificate, or the public key of such a certificate, that must be
      matched with the end entity certificate given by the server in
      TLS.  This usage is sometimes referred to as "service certificate
      constraint" because it limits which end entity certificate may be
      used by a given host name, port, and protocol.  The target
      certificate MUST pass PKIX certification path validation and MUST
      match the TLSA record.

      2 -- Certificate usage 2 is used to specify a certificate, or the
      public key of such a certificate, that must be used as a trust
      anchor when validating the end entity certificate given by the
      server in TLS.  This usage is sometimes referred to as "trust
      anchor assertion" and allows a domain name administrator to
      specify a new trust anchor, for example if the domain issues its
      own certificates under its own CA that is not expected to be in
      the end users' collection of trust anchors.  The target
      certificate MUST pass PKIX certification path validation, with any
      certificate matching the TLSA record considered to be a trust
      anchor for this certification path validation.

      3 -- Certificate usage 3 is used to specify a certificate, or the
      public key of such a certificate, that must match the end entity
      certificate given by the server in TLS.  This usage is sometimes
      referred to as "domain-issued certificate" because it allows for a
      domain name administrator to issue certificates for a domain
      without involving a third-party CA.  The target certificate MUST
      match the TLSA record.

   The certificate usages defined in this document explicitly only apply
   to PKIX-formatted certificates in DER encoding.  If TLS allows other
   formats later, or if extensions to this RRtype are made that accept
   other formats for certificates, those certificates will need their
   own certificate usage values.

2.1.2.  The Selector Field

   A one-octet value, called "selector", specifying which part of the
   TLS certificate presented by the server will be matched against the
   association data.  This value is defined in a new IANA registry (see
   Section 7.3.  The selectors defined in this document are:

      0 -- Full certificate

      1 -- SubjectPublicKeyInfo




Hoffman & Schlyter      Expires September 1, 2012               [Page 8]

Internet-Draft           DNS-Based Auth for TLS            February 2012


2.1.3.  The Matching Type Field

   A one-octet value, called "matching type", specifying how the
   certificate association is presented.  This value is defined in a new
   IANA registry (see Section 7.4).  The types defined in this document
   are:

      0 -- Exact match on selected content

      1 -- SHA-256 hash of selected content

      2 -- SHA-512 hash of selected content

   If the TLSA record's matching type is a hash, the record SHOULD use
   the same hash algorithm that was used in the signature in the
   certificate.  This will assist clients that support a small number of
   hash algorithms.

2.1.4.  The Certificate Association Data Field

   The "certificate association data" to be matched.  This field
   contains the data to be matched.  These bytes are either raw data
   (that is, the full certificate or its SubjectPublicKeyInfo, depending
   on the selector) for matching type 0, or the hash of the raw data for
   matching types 1 and 2.  The data refers to the certificate in the
   association, not to the TLS ASN.1 Certificate object.

2.2.  TLSA RR Presentation Format

   The presentation format of the RDATA portion is as follows:

   o  The certificate usage field MUST be represented as an unsigned
      decimal integer.

   o  The selector field MUST be represented as an unsigned decimal
      integer.

   o  The matching type field MUST be represented as an unsigned decimal
      integer.

   o  The certificate association data field MUST be represented as a
      string of hexadecimal characters.  Whitespace is allowed within
      the string of hexadecimal characters.








Hoffman & Schlyter      Expires September 1, 2012               [Page 9]

Internet-Draft           DNS-Based Auth for TLS            February 2012


2.3.  TLSA RR Examples

   An example of a hashed (SHA-256) association of a PKIX CA
   certificate:

   _443._tcp.www.example.com. IN TLSA (
      0 0 1 d2abde240d7cd3ee6b4b28c54df034b9
            7983a1d16e8a410e4561cb106618e971 )

   An example of a hashed (SHA-512) subject public key association of a
   PKIX end entity certificate:

   _443._tcp.www.example.com. IN TLSA (
      1 1 2 92003ba34942dc74152e2f2c408d29ec
            a5a520e7f2e06bb944f4dca346baf63c
            1b177615d466f6c4b71c216a50292bd5
            8c9ebdd2f74e38fe51ffd48c43326cbc )

   An example of a full certificate association of a PKIX end entity
   certificate:

   _443._tcp.www.example.com. IN TLSA (
      3 0 0 30820307308201efa003020102020... )


3.  Domain Names for TLS Certificate Associations

   Unless there is a protocol-specific specification that is different
   than this one, TLSA resource records are stored at a prefixed DNS
   domain name.  The prefix is prepared in the following manner:

   1.  The decimal representation of the port number on which a TLS-
       based service is assumed to exist is prepended with an underscore
       character ("_") to become the left-most label in the prepared
       domain name.  This number has no leading zeros.

   2.  The protocol name of the transport on which a TLS-based service
       is assumed to exist is prepended with an underscore character
       ("_") to become the second left-most label in the prepared domain
       name.  The transport names defined for this protocol are "tcp",
       "udp" and "sctp".

   3.  The domain name is appended to the result of step 2 to complete
       the prepared domain name.

   For example, to request a TLSA resource record for an HTTP server
   running TLS on port 443 at "www.example.com", you would use
   "_443._tcp.www.example.com" in the request.  To request a TLSA



Hoffman & Schlyter      Expires September 1, 2012              [Page 10]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   resource record for an SMTP server running the STARTTLS protocol on
   port 25 at "mail.example.com", you would use
   "_25._tcp.mail.example.com".


4.  Use of TLSA Records in TLS

   Section 2.1 of this document defines the mandatory matching rules for
   the data from the TLSA certificate associations and the certificates
   received from the TLS server.

   The TLS session that is to be set up MUST be for the specific port
   number and transport name that was given in the TLSA query.

   Some specifications for applications that run under TLS, such as
   [RFC2818] for HTTP, require the server's certificate to have a domain
   name that matches the host name expected by the client.  Some
   specifications such as [RFC6125] detail how to match the identity
   given in a PKIX certificate with those expected by the user.

   An implementation of this protocol makes a DNS query for TLSA records
   (or uses already-retrieved TLSA records if they are cached within
   their time to live value), validates these records using DNSSEC, and
   uses the resulting TLSA records and validation status to modify its
   responses to the TLS server.

   If a host is using TLSA usage type 2 for its certifcate, the
   corresponding TLS server SHOULD send the certificate that is
   referenced just like it currently sends intermediate certificates.

   Determining whether a TLSA RRset can be used depends on the DNSSEC
   validation state (as defined in [RFC4033]).

   o  A TLSA RRset whose DNSSEC validation state is secure MUST be used
      as a certificate association for TLS unless a local policy would
      prohibit the use of the specific certificate association in the
      secure TLSA RRset.

   o  If the DNSSEC validation state on the response to the request for
      the TLSA RRset is bogus, this MUST cause TLS not to be started or,
      if the TLS negotiation is already in progress, MUST cause the
      connection to be aborted.

   o  A TLSA RRset whose DNSSEC validation state is indeterminate or
      insecure cannot be used for TLS and MUST be considered unusable.

   Clients which validate the DNSSEC signatures themselves MUST use
   standard DNSSEC validation procedures.  Clients that rely on another



Hoffman & Schlyter      Expires September 1, 2012              [Page 11]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   entity to perform the DNSSEC signature validation MUST use a secure
   mechanism between themselves and the validator.  Examples of secure
   transports to other hosts include TSIG [RFC2845], SIG(0) [RFC2931],
   and IPsec [RFC6071].  Note that it is not sufficient to use secure
   transport to a DNS resolver that does not do DNSSEC signature
   validation.

   If a certificate association contains a certificate usage, selector,
   or matching type that is not understood by the TLS client, that
   certificate association MUST be considered unusable.  If the
   comparison data for a certificate is malformed, the certificate
   association MUST be considered unusable.

   If a certificate association contains a matching type or certificate
   association data that uses a cryptographic algorithm that is
   considered too weak for the TLS client's policy, the certificate
   association MUST be marked as unusable.

   If an application receives zero usable certificate associations, it
   processes TLS in the normal fashion without any input from the TLSA
   records.  If an application receives one or more usable certificate
   associations, it attempts to match each certificate association with
   the TLS server's end entity certificate until a successful match is
   found.


5.  TLSA and DANE Use Cases and Requirements

   The different types of certificate associations defined in TLSA are
   matched with various sections of [RFC6394].  The use cases from
   Section 3 of [RFC6394] are covered in this document as follows:

   3.1 CA Constraints  -- Implemented using certificate usage 0.

   3.2 Certificate Constraints  -- Implemented using certificate usage
      1.

   3.3 Trust Anchor Assertion and Domain-Issued Certificates  --
      Implemented using certificate usages 2 and 3, respectively.

   The requirements from Section 4 of [RFC6394] are covered in this
   document as follows:

   Multiple Ports  -- The TLSA records for different application
      services running on a single host can be distinguished through the
      service name and port number prefixed to the host name (see
      Section 3).




Hoffman & Schlyter      Expires September 1, 2012              [Page 12]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   No Downgrade  -- Section 4 specifies the conditions under which a
      client can process and act upon TLSA records.  Specifically, if
      the DNSSEC status for the TLSA resource record set is determined
      to be bogus, TLS is not attempted at all.

   Encapsulation  -- Covered in the TLSA response semantics.

   Predictability  -- The appendixes of this specification provide
      operational considerations and implementation guidance in order to
      enable application developers to form a consistent interpretation
      of the recommended DANE client behavior.

   Opportunistic Security  -- If a client conformant to this
      specification can reliably determine the presence of a TLSA
      record, it will attempt to use this information.  Conversely, if a
      client can reliably determine the absence of any TLSA record, it
      will fall back to processing TLS in the normal fashion.  This is
      discussed in Section 4.

   Combination  -- Multiple TLSA records can be published for a given
      host name, thus enabling the client to construct multiple TLSA
      certificate associations that reflect different DANE assertions.
      No support is provided to combine two TLSA certificate
      associations in a single operation.

   Roll-over  -- Section 4 states that applications must not cache TLSA
      records beyond their TTL expiration.  This ensures that clients
      will not latch onto assertions made by expired TLSA records, and
      will be able to transition between using one DANE mechanism to
      another.

   Simple Key Management  -- The SubjectPublicKeyInfo selector in the
      TLSA record provides a mode that enables a domain holder to only
      have to maintain a single long-lived public/private key pair
      without the need to manage certificates.  Appendix A outlines the
      usefulness and the potential downsides to using this mode.

   Minimal Dependencies  -- This specification relies on DNSSEC to
      protect the origin authenticity and integrity of the TLSA resource
      record set.  Additionally, if DNSSEC validation is not performed
      on the system that wishes to use TLSA certificate bindings, this
      specification requires that the "last mile" be over a secure
      transport.  There are no other deployment dependencies for this
      approach.







Hoffman & Schlyter      Expires September 1, 2012              [Page 13]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   Minimal Options  -- The operating modes map precisely to the DANE use
      cases and requirements.  DNSSEC use is mandatory in that this
      specification encourages applications to use TLSA records that are
      only shown to be validated.

   Wild Cards  -- Covered in a limited manner in the TLSA request
      syntax; see Appendix A.

   Redirection  -- Covered in the TLSA request syntax; see Appendix A.


6.  Mandatory-to-Implement Features

   A system creating TLSA records that conforms to this specification
   MUST be able to create TLSA records containing certificate usages 0,
   1, 2, and 3.  A system creating TLSA records that conforms to this
   specification MUST be able to create TLSA records with selectors 0
   (full certificate) and 1 (SubjectPublicKeyInfo).  A system creating
   TLSA records that conforms to this specification MUST be able to
   create TLSA records using matching type 0 (no hash used) and matching
   type 1 (SHA-256), and SHOULD be able to create TLSA records using
   matching type 2 (SHA-512).

   TLS clients conforming to this specification MUST be able to
   correctly interpret TLSA records with certificate usages 0, 1, 2, and
   3.  TLS clients conforming to this specification MUST be able to
   compare a certificate association with a certificate from the TLS
   handshake using selectors type 0 and 1, and matching type 0 (no hash
   used) and matching type 1 (SHA-256), and SHOULD be able to make such
   comparisons with matching type 2 (SHA-512).

   At the time this is written, it is expected that there will be a new
   family of hash algorithms called SHA-3 within the next few years.  It
   is expected that some of the SHA-3 algorithms will be mandatory
   and/or recommended for TLSA records after the algorithms are fully
   defined.  At that time, this specification will be updated.


7.  IANA Considerations

7.1.  TLSA RRtype

   This document uses a new DNS RR type, TLSA, whose value is TBD.  A
   separate request for the RR type will be submitted to the expert
   reviewer, and future versions of this document will have that value
   instead of TBD.

   In the following sections, "RFC Required" was chosen for TLSA usages



Hoffman & Schlyter      Expires September 1, 2012              [Page 14]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   and "Specification Required" for selectors and matching types because
   of the amount of detail that is likely to be needed for implementers
   to correctly implement new usages as compared to new selectors and
   matching types.

7.2.  TLSA Usages

   This document creates a new registry, "Certificate Usages for TLSA
   Resource Records".  The registry policy is "RFC Required".  The
   initial entries in the registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        CA constraint                           [This]
   1        Service certificate constraint          [This]
   2        Trust anchor assertion                  [This]
   3        Domain-issued certificate                [This]
   4-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.

7.3.  TLSA Selectors

   This document creates a new registry, "Selectors for TLSA Resource
   Records".  The registry policy is "Specification Required".  The
   initial entries in the registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        Full Certificate                        [This]
   1        SubjectPublicKeyInfo                    [This]
   2-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.

7.4.  TLSA Matching Types

   This document creates a new registry, "Matching Types for TLSA
   Resource Records".  The registry policy is "Specification Required".
   The initial entries in the registry are:







Hoffman & Schlyter      Expires September 1, 2012              [Page 15]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   Value    Short description    Reference
   ---------------------------------------------
   0        No hash used         [This]
   1        SHA-256              NIST FIPS 180-3
   2        SHA-512              NIST FIPS 180-3
   3-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.


8.  Security Considerations

   The security of the DNS RRtype described in this document relies on
   the security of DNSSEC as used by the client requesting A/AAAA and
   TLSA records.

   A DNS administrator who goes rogue and changes both the A/AAAA and
   TLSA records for a domain name can cause the user to go to an
   unauthorized server that will appear authorized, unless the client
   performs PKIX certification path validation and rejects the
   certificate.  That administrator could probably get a certificate
   issued anyway, so this is not an additional threat.

   If the authentication mechanism for adding or changing TLSA data in a
   zone is weaker than the authentication mechanism for changing the
   A/AAAA records, a man-in-the-middle who can redirect traffic to their
   site may be able to impersonate the attacked host in TLS if they can
   use the weaker authentication mechanism.  A better design for
   authenticating DNS would be to have the same level of authentication
   used for all DNS additions and changes for a particular owner name.

   SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
   In these scenarios, the clients add a new trust anchor whose private
   key is kept on the SSL proxy; the proxy intercepts TLS requests,
   creates a new TLS session with the intended host, and sets up a TLS
   session with the client using a certificate that chains to the trust
   anchor installed in the client by the proxy.  In such environments,
   the using TLSA records will prevent the SSL proxy from functioning as
   expected because the TLS client will get a certificate association
   from the DNS that will not match the certificate that the SSL proxy
   uses with the client.  The client, seeing the proxy's new certificate
   for the supposed destination will not set up a TLS session.

   Client treatment of any information included in the certificate trust
   anchor is a matter of local policy.  This specification does not
   mandate that such information be inspected or validated by the domain



Hoffman & Schlyter      Expires September 1, 2012              [Page 16]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   name administrator.

   If a server's certificate is revoked, or if an intermediate CA in a
   chain between the end entity and a trust anchor has its certificate
   revoked, a TLSA record with a certificate type of 2 that matches the
   revoked certificate would in essence override the revocation because
   the client would treat that revoked certificate as a trust anchor and
   thus not check its revocation status.  Because of this, domain
   administrators need to be responsible for being sure that the key or
   certificate used in TLSA records with a certificate type of 2 are in
   fact able to be used as reliable trust anchors.

   Certificates that are delivered in TLSA with usage type 2
   fundamentally change the way the TLS server's end entity certificate
   is evaluated.  For example, the server's certificate might chain to
   an existing CA through an intermediate CA that has certain policy
   restrictions, and the certificate would not pass those restrictions
   and thus normally be rejected.  That intermediate CA could issue
   itself a new certificate without the policy restrictions and tell its
   customers to use that certificate with usage type 2.  This in essence
   allows an intermediate CA to be come a trust anchor for certificates
   that the end user might have expected to chain to an existing trust
   anchor.

   If an administrator wishes to stop using a TLSA record, the
   administrator can simply remove it from the DNS.  Normal clients will
   stop using the TLSA record after the TTL has expired.  Replay attacks
   against the TLSA record are not possible after the expiration date on
   the RRsig of the TLSA record that was removed.

8.1.  DNS Caching

   Implementations of this protocol rely heavily on the DNS, and are
   thus prone to security attacks based on the deliberate mis-
   association of TLSA records and DNS names.  Implementations need to
   be cautious in assuming the continuing validity of an TLSA records/
   DNS name association.

   In particular, implementations SHOULD rely on their DNS resolver for
   confirmation of an association between a TLSA record and a DNS name,
   rather than caching the result of previous domain name lookups.  Many
   platforms already can cache domain name lookups locally when
   appropriate, and they SHOULD be configured to do so.  It is proper
   for these lookups to be cached, however, only when the TTL (Time To
   Live) information reported by the DNS makes it likely that the cached
   information will remain useful.

   If implementations cache the results of domain name lookups in order



Hoffman & Schlyter      Expires September 1, 2012              [Page 17]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   to achieve a performance improvement, they MUST observe the TTL
   information reported by DNS.  Implementations that fail to follow
   this rule this rule could be spoofed when a previously-accessed
   server's TLSA record changes, such as during a certificate rollover.


9.  Acknowledgements

   Many of the ideas in this document have been discussed over many
   years.  More recently, the ideas have been discussed by the authors
   and others in a more focused fashion.  In particular, some of the
   ideas and words here originated with Paul Vixie, Dan Kaminsky, Jeff
   Hodges, Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam
   Langley, Ben Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit,
   Ondrej Sury, Richard Barnes, Jim Schaad, Stephen Farrell, Suresh
   Krishnaswamy, Peter Palfrader, Pieter Lexis, Wouter Wijngaards and
   John Gilmore.

   This document has also been greatly helped by many active
   participants of the DANE Working Group.


10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.



Hoffman & Schlyter      Expires September 1, 2012              [Page 18]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6347]  Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security Version 1.2", RFC 6347, January 2012.

10.2.  Informative References

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              February 2000.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC2845]  Vixie, P., Gudmundsson, O., Eastlake, D., and B.
              Wellington, "Secret Key Transaction Authentication for DNS
              (TSIG)", RFC 2845, May 2000.

   [RFC2931]  Eastlake, D., "DNS Request and Transaction Signatures (
              SIG(0)s)", RFC 2931, September 2000.

   [RFC4025]  Richardson, M., "A Method for Storing IPsec Keying
              Material in DNS", RFC 4025, March 2005.

   [RFC4255]  Schlyter, J. and W. Griffin, "Using DNS to Securely
              Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
              January 2006.

   [RFC4641]  Kolkman, O. and R. Gieben, "DNSSEC Operational Practices",
              RFC 4641, September 2006.

   [RFC6066]  Eastlake, D., "Transport Layer Security (TLS) Extensions:
              Extension Definitions", RFC 6066, January 2011.

   [RFC6071]  Frankel, S. and S. Krishnan, "IP Security (IPsec) and
              Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
              February 2011.

   [RFC6394]  Barnes, R., "Use Cases and Requirements for DNS-Based
              Authentication of Named Entities (DANE)", RFC 6394,
              October 2011.







Hoffman & Schlyter      Expires September 1, 2012              [Page 19]

Internet-Draft           DNS-Based Auth for TLS            February 2012


Appendix A.  Operational Considerations for Deploying TLSA Records

A.1.  Creating TLSA Records

   When creating TLSA records care must be taken to avoid
   misconfigurations.  Section 4 of this document states that a TLSA
   RRset whose validation state is secure MUST be used.  This means that
   the existence of such a RRset effectively disables other forms of
   name and path validation.  A misconfigured TLSA RRset will
   effectively disable access to the TLS server for all conforming
   clients, and this document does not provide any means of making a
   gradual transition to using TLSA.

   When creating TLSA records with certificate usage type 0 (CA
   Certificate) or type 2 (Trust Anchor), one needs to understand the
   implications when choosing between selector type 0 (full certificate)
   and 1 (SubjectPublicKeyInfo).  A careful choice is required because
   different methods for building trust chains are used by different TLS
   clients.  The following outlines the cases that one should be aware
   of and discusses the implications of the choice of selector type.

   Certificate usage 2 is not affected by the different types of chain
   building when the end entity certificate is the same as the trust
   anchor certificate.

A.1.1.  Ambiguities and Corner Cases When TLS Clients Build Trust Chains

   TLS clients may implement their own chain-building code rather than
   rely on the chain presented by the TLS server.  This means that,
   except for the end entity certificate, any certificate presented in
   the suggested chain might or might not be present in the final chain
   built by the client.

   Certificates that the client can use to replace certificates from
   original chain include:

   o  Client's trust anchors

   o  Certificates cached locally

   o  Certificates retrieved from a URI listed in an Authority
      Information Access X.509v3 extension

   CAs frequently reissue certificates with different validity period,
   signature algorithm (such as an different hash algorithm in the
   signature algorithm), CA key pair (such as for a cross-certificate),
   or PKIX extensions where the public key and subject remain the same.
   These reissued certificates are the certificates TLS client can use



Hoffman & Schlyter      Expires September 1, 2012              [Page 20]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   in place of an original certificate.

   Clients are known to exchange or remove certificates that could cause
   TLSA association that rely on the full certificate to fail.  For
   example:

   o  The client considers the signature algorithm of a certificate to
      no longer be sufficiently secure

   o  The client might not have an associated root certificate in its
      trust store and instead uses a cross-certificate with an identical
      subject and public key.

A.1.2.  Choosing a Selector Type

   In this section, "false-negative failure" means that a client will
   not accept the TLSA association for certificate designated by DNS
   administrator.  Also, "false-positive acceptance" means that the
   client accepts a TLSA association for a certificate that is not
   designated by the DNS administrator.

A.1.2.1.  Selector Type 0 (Full Certificate)

   The "Full certificate" selector provides the most precise
   specification of a TLS certificate association, capturing all fields
   of the PKIX certificate.  For a DNS administrator, the best course to
   avoid false-negative failures in the client when using this selector
   are:

   o  If a CA issued a replacement certificate, don't associate to CA
      certificates that have a signature algorithm with a hash that is
      considered weak (such as MD2 and MD5).

   o  Determine how common client applications process the TLSA
      association using a fresh client installation, that is, with the
      local certificate cache empty.

A.1.2.2.  Selector Type 1 (SubjectPublicKeyInfo)

   A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
   some false-negative failures caused by trust-chain-building
   algorithms used in clients.

   One specific use-case should be noted: creating a TLSA association to
   certificate I1 that directly signed end entity certificate S1 of the
   server.  Since the key used to sign S1 is fixed, association to I1
   must succeed: if a client swaps I1 for I2 (a different certificate),
   its SPKI must match SPKI of I1.  Such and association would not



Hoffman & Schlyter      Expires September 1, 2012              [Page 21]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   suffer from a false-negative failure on client's side if the client
   uses a reissued CA certificate I2 in place of I1.

   The attack surface is a bit broader compared to "full certificate"
   selector: the DNS administrator might unintentionally specify an
   association that would lead to false-positive acceptance.

   o  The administrator must know or trust the CA not to engage in bad
      practices, such as not sharing key of I1 for unrelated CA
      certificates leading to trust-chain redirect.  If possible, the
      administrator should review all CA certificates that have the same
      SPKI.

   o  The administrator should understand whether some PKIX extension
      may adversely affect security of the association.  If possible,
      administrators should review all CA certificates that share the
      SubjectPublicKeyInfo.

   Using the SubjectPublicKeyInfo selector for association with a
   certificate in a chain above I1 needs to be decided on a case-by-case
   basis: there are too many possibilities based on the issuing CA's
   practices.  Unless the full implications of such an association are
   understood by the administrator, using selector type 0 is a better
   option from a security perspective.

A.2.  Provisioning TLSA Records in DNS

A.2.1.  Provisioning TLSA Records with Aliases

   The TLSA resource record is not special in the DNS; it acts exactly
   like any other RRtype where the queried name has one or more labels
   prefixed to the base name, such as the SRV RRtype [RFC2782].  This
   affects the way that the TLSA resource record is used when aliasing
   in the DNS.

   Note that the IETF sometimes adds new types of aliasing in the DNS.
   If that happens in the future, those aliases might affect TLSA
   records, hopefully in a good way.

A.2.1.1.  Provisioning TLSA Records with CNAME Records

   Using CNAME to alias in DNS only aliases from the exact name given,
   not any zones below the given name.  For example, assume that a zone
   file has only the following:

   sub1.example.com.          IN CNAME sub2.example.com.

   In this case, a request for the A record at "bottom.sub1.example.com"



Hoffman & Schlyter      Expires September 1, 2012              [Page 22]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   would not return any records because the CNAME given only aliases the
   name given.  Assume, instead, the zone file has the following:

   sub3.example.com.          IN CNAME sub4.example.com.
   bottom.sub3.example.com.   IN CNAME bottom.sub4.example.com.

   In this case, a request for the A record at bottom.sub3.example.com
   would in fact return whatever value for the A record exists at
   bottom.sub4.example.com.

   Application implementations and full-service resolvers request DNS
   records using libraries that automatically follow CNAME (and DNAME)
   aliasing.  This allows hosts to put TLSA records in their own zones
   or to use CNAME to do redirection.

   If the owner of the original domain wants a TLSA record for the same,
   they simply enter it under the defined prefix:

   ; No TLSA record in target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN TLSA 1 1 1 308202c5308201ab...
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1

   If the owner of the original domain wants to have the target domain
   host the TLSA record, the original domain uses a CNAME record:

   ; TLSA record for original domain has CNAME to target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN CNAME _443._tcp.sub6.example.com.
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 536a570ac49d9ba4...

   Note that it is acceptable for both the original domain and the
   target domain to have TLSA records, but the two records are
   unrelated.  Consider the following:

   ; TLSA record in both the original and target domain
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com.  IN TLSA 1 1 1 308202c5308201ab...
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 ac49d9ba4570ac49...




Hoffman & Schlyter      Expires September 1, 2012              [Page 23]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   In this example, someone looking for the TLSA record for
   sub5.example.com would always get the record whose value starts
   "308202c5308201ab"; the TLSA record whose value starts
   "ac49d9ba4570ac49" would only be sought by someone who is looking for
   the TLSA record for sub6.example.com, and never for sub5.example.com.
   One should note that deploying different certificates for multiple
   services located at a shared TLS listener often requires the use of
   TLS SNI (Server Name Indication) [RFC6066].

   Note that these methods use the normal method for DNS aliasing using
   CNAME: the DNS client requests the record type that they actually
   want.

A.2.1.2.  Provisioning TLSA Records with DNAME Records

   Using DNAME records allows a zone owner to alias an entire subtree of
   names below the name that has the DNAME.  This allows the wholesale
   aliasing of prefixed records such as those used by TLSA, SRV, and so
   on without aliasing the name itself.  However, because DNAME can only
   be used for subtrees of a base name, it is rarely used to alias
   individual hosts that might also be running TLS.

   ; TLSA record in target domain, visible in original domain via DNAME
   ;
   sub5.example.com.            IN CNAME sub6.example.com.
   _tcp.sub5.example.com.       IN DNAME _tcp.sub6.example.com.
   sub6.example.com.            IN A 192.0.2.1
   sub6.example.com.            IN AAAA 2001:db8::1
   _443._tcp.sub6.example.com.  IN TLSA 1 1 1 536a570ac49d9ba4...

A.2.1.3.  Provisioning TLSA Records with Wildcards

   Wildcards are generally not terribly useful for RRtypes that require
   prefixing because you can only wildcard at a layer below the host
   name.  For example, if you want to have the same TLSA record for
   every TCP port for www.example.com, you might have

   *._tcp.www.example.com.    IN TLSA 1 1 1 5c1502a6549c423b...

   This is possibly useful in some scenarios where the same service is
   offered on many ports.

A.3.  Securing the Last Hop

   As described in Section 4, an application processing TLSA records
   must know the DNSSEC validity of those records.  There are many ways
   for the application to securely find this out, and this specification
   does not mandate any single method.



Hoffman & Schlyter      Expires September 1, 2012              [Page 24]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   Some common methods for an application to know the DNSSEC validity of
   TLSA records include:

   o  The application can have its own DNS resolver and DNSSEC
      validation stack.

   o  The application can communicate through a trusted channel (such as
      requests to the operating system under which the application is
      running) to a local DNS resolver that does DNSSEC validation.

   o  The application can communicate through a secured channel (such as
      requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local
      DNS resolver that does DNSSEC validation.

   o  The application can communicate through a secured channel (such as
      requests running over TLS, IPsec, TSIG or SIG(0)) to a non-local
      DNS resolver that does not do DNSSEC validation, but gets
      responses through a secured channel from a different DNS resolver
      that does DNSSEC validation.

A.4.  Handling Certificate Rollover

   Certificate rollover is handled in much the same was as for rolling
   DNSSEC zone signing keys using the pre-publish key rollover method
   [RFC4641].  Suppose example.com has a single TLSA record for a TLS
   service on TCP port 990:

   _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...

   To start the rollover process, obtain or generate the new certificate
   or SubjectPublicKeyInfo to be used after the rollover and generate
   the new TLSA record.  Add that record alongside the old one:

   _990._tcp.example.com IN TLSA 1 1 1 1CFC98A706BCF3683015...
   _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...

   After the new records have propagated to the authoritative
   nameservers and the TTL of the old record has expired, switch to the
   new certificate on the TLS server.  Once this has occurred, the old
   TLSA record can be removed:

   _990._tcp.example.com IN TLSA 1 1 1 62D5414CD1CC657E3D30...

   This completes the certificate rollover.







Hoffman & Schlyter      Expires September 1, 2012              [Page 25]

Internet-Draft           DNS-Based Auth for TLS            February 2012


Appendix B.  Pseudocode for Using TLSA

   This appendix describes the interactions given earlier in this
   specification in pseudocode format.  This appendix is non-normative.
   If the steps below disagree with the text earlier in the document,
   the steps earlier in the document should be considered correct and
   this text incorrect.

   Note that this pseudocode is more strict than the normative text.
   For instance, it forces an order on the evaluation of criteria which
   is not mandatory from the normative text.

B.1.  Helper Functions


   // implement the function for exiting
   function Finish (F) = {
     if (F == ABORT_TLS) {
       abort the TLS handshake or prevent TLS from starting
       exit
     }

     if (F == NO_TLSA) {
       fall back to non-TLSA certificate validation
       exit
     }

     if (F == ACCEPT) {
       accept the TLS connection
       exit
     }

     // unreachable
   }

   // implement the selector function
   function Select (S, X) = {
     // Full certificate
     if (S == 0) {
       return X
     }

     // SubjectPublicKeyInfo
     if (S == 1) {
       return X.SubjectPublicKeyInfo
     }

     // unreachable



Hoffman & Schlyter      Expires September 1, 2012              [Page 26]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   }

   // implement the matching function
   function Match (M, X, Y) {
     // Exact match on selected content
     if (M == 0) {
       return (X == Y)
     }

     // SHA-256 hash of selected content
     if (M == 1) {
       return (SHA-256(X) == Y)
     }

     // SHA-512 hash of selected content
     if (M == 2) {
       return (SHA-512(X) == Y)
     }

     // unreachable
   }


B.2.  Main TLSA Pseudo Code

   TLS connect using [transport] to [name] on [port] and receiving end
   entity cert C for the TLS server:


   (TLSArecords, ValState) = DNSSECValidatedLookup(
     domainname=_[port]._[transport].[name], RRtype=TLSA)

   // check for states that would change processing
   if (ValState == BOGUS) {
     Finish(ABORT_TLS)
   }
   if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
     Finish(NO_TLSA)
   }
   // if here, ValState must be SECURE

   for each R in TLSArecords {
     // unusable records include unknown certUsage, unknown
     // selectorType, unknown matchingType, erroneous RDATA, and
     // prohibited by local policy
     if (R is unusable) {
       remove R from TLSArecords
     }



Hoffman & Schlyter      Expires September 1, 2012              [Page 27]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   }
   if (length(TLSArecords) == 0) {
     Finish(NO_TLSA)
   }

   // A TLS client might have multiple trust anchors that it might use
   //    when validating the TLS server's end entity certificate. Also,
   //    there can be multiple PKIX certification paths for the
   //    certificates given by the server in TLS. Thus, there are
   //    possibly many chains that might need to be tested during
   //    PKIX path validation.

   for each R in TLSArecords {

     // pass PKIX certificate validation and chain through a CA cert
     //    that comes from TLSA
     if (R.certUsage == 0) {
       for each PKIX certification path H {
         if (C passes PKIX certification path validation in H) {
           for each D in H {
             if ((D is a CA certificate) and
                 Match(R.matchingType, Select(R.selectorType, D),
                       R.cert)) {
               Finish(ACCEPT)
             }
           }
         }
       }
     }

     // pass PKIX certificate validation and match EE cert from TLSA
     if (R.certUsage == 1) {
       for each PKIX certification path H {
         if ((C passes PKIX certificate validation in H) and
                 Match(R.matchingType, Select(R.selectorType, C),
                 R.cert)) {
             Finish(ACCEPT)
         }
       }
     }

     // pass PKIX certificaten validation using TLSA record as the
     //    trust anchor
     if (R.certUsage == 2) {
       for each PKIX certification path H that has R as the
            trust anchor {
         if (C passes PKIX certification validation in H) and
                Match(R.matchingType, Select(R.selectorType, C),



Hoffman & Schlyter      Expires September 1, 2012              [Page 28]

Internet-Draft           DNS-Based Auth for TLS            February 2012


                R.cert)) {
           Finish(ACCEPT)
         }
       }
     }

     // match the TLSA record and the TLS certificate
     if (R.certUsage == 3) {
       if Match(R.matchingType, Select(R.selectorType, C), R.cert)
         Finish(ACCEPT)
       }
     }

   }

   // if here, then none of the TLSA records ended in "Finish(ACCEPT)"
   //   so abort TLS
   Finish(ABORT_TLS)


Appendix C.  Examples

   The following are examples of self-signed certificates that have been
   been generated with various selectors and matching types.  They were
   generated with one piece of software, and validated by an individual
   using other tools.


   S = Selector
   M = Matching Type

   S M Association Data
   0 0 30820454308202BC020900AB58D24E77AD2AF6300D06092A86
       4886F70D0101050500306C310B3009060355040613024E4C31163014
       0603550408130D4E6F6F72642D486F6C6C616E643112301006035504
       071309416D7374657264616D310C300A060355040A13034F53333123
       30210603550403131A64616E652E6B6965762E70726163746963756D
       2E6F73332E6E6C301E170D3132303131363136353730335A170D3232
       303131333136353730335A306C310B3009060355040613024E4C3116
       30140603550408130D4E6F6F72642D486F6C6C616E64311230100603
       5504071309416D7374657264616D310C300A060355040A13034F5333
       312330210603550403131A64616E652E6B6965762E70726163746963
       756D2E6F73332E6E6C308201A2300D06092A864886F70D0101010500
       0382018F003082018A0282018100E62C84A5AFE59F0A2A6B250DEE68
       7AC8C5C604F57D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B
       6AD5DEA0C8771C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE
       281A68230B24B9DA1A98DCBE51195B60E42FD7517C328D983E26A827
       C877AB914EE4C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D5



Hoffman & Schlyter      Expires September 1, 2012              [Page 29]

Internet-Draft           DNS-Based Auth for TLS            February 2012


       8C389CC3D6D8C20662E19CF768F32441B7F7D14AEA8966CE7C32A172
       2AB38623D008029A9E4702883F8B977A1A1E5292BF8AD72239D40393
       37B86A3AC60FA001290452177BF1798609A05A130F033457A5212629
       FBDDB8E70E2A9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D
       4BD77DFA34035563C126AA2C3328B900E7990AC9787F01DA82F74C3D
       4B6674CCECE1FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE775
       6213BD3D60831175BE290442B4AFC5AE6F46B769855A067C1097E617
       962529E166F22AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A44
       9C8D0D31BC683C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2
       DDFF6B4CAC050203010001300D06092A864886F70D01010505000382
       0181002B2ABE063E9C86AC4A1F7835372091079C8276A9C2C5D1EC57
       64DE523FDDABDEAB3FD34E6FE6CBA054580A6785A663595D90132B93
       D473929E81FA0887D2FFF78A81C7D014B97778AB6AC9E5E690F6F5A9
       E92BB5FBAB71B857AE69B6E18BDCCB0BA6FCD9D4B084A34F3635148C
       495D48FE635903B888EC1DEB2610548EDD48D63F86513A4562469831
       48C0D5DB82D73A4C350A42BB661D763430FC6C8E5F9D13EA1B76AA52
       A4C358E5EA04000F794618303AB6CEEA4E9A8E9C74D73C1B0B7BAF16
       DEDE7696B5E2F206F777100F5727E1684D4132F5E692F47AF6756EA8
       B421000BE031B5D8F0220E436B51FB154FE9595333C13A2403F9DE08
       E5DDC5A22FD6182E339593E26374450220BC14F3E40FF33F084526B0
       9C34250702E8A352B332CCCB0F9DE2CF2B338823B92AFC61C0B6B8AB
       DB5AF718ED8DDA97C298E46B82A01B14814868CFA4F2C36268BFFF4A
       591F42658BF75918902D3E426DFE1D5FF0FC6A212071F6DA8BD833FE
       2E560D87775E8EE9333C05B6FB8EB56589D910DB5EA903

   0 1 EFDDF0D915C7BDC5782C0881E1B2A95AD099FBDD06D7B1F779
       82D9364338D955

   0 2 81EE7F6C0ECC6B09B7785A9418F54432DE630DD54DC6EE9E3C
       49DE547708D236D4C413C3E97E44F969E635958AA410495844127C04
       883503E5B024CF7A8F6A94

   1 0 308201A2300D06092A864886F70D01010105000382018F0030
       82018A0282018100E62C84A5AFE59F0A2A6B250DEE687AC8C5C604F5
       7D26CEB2119140FFAC38C4B9CBBE8923082E7F81626B6AD5DEA0C877
       1C74E3CAA7F613054AEFA3673E48FFE47B3F7AF987DE281A68230B24
       B9DA1A98DCBE51195B60E42FD7517C328D983E26A827C877AB914EE4
       C1BFDEAD48BD25BE5F2C473BA9C1CBBDDDA0C374D0D58C389CC3D6D8
       C20662E19CF768F32441B7F7D14AEA8966CE7C32A1722AB38623D008
       029A9E4702883F8B977A1A1E5292BF8AD72239D4039337B86A3AC60F
       A001290452177BF1798609A05A130F033457A5212629FBDDB8E70E2A
       9E6556873C4F7CA46AE4A8B178F05FB319005E1C1C7D4BD77DFA3403
       5563C126AA2C3328B900E7990AC9787F01DA82F74C3D4B6674CCECE1
       FD4C6EF9E6644F4635EDEDA39D8B0E2F7C8E06DAE7756213BD3D6083
       1175BE290442B4AFC5AE6F46B769855A067C1097E617962529E166F2
       2AEE10DDB981B8CD6FF17D3D70723169038DBFBC1A449C8D0D31BC68
       3C5F3CE26148E42EC9BBD4D9F261569B25B53C1D7FC2DDFF6B4CAC05
       0203010001



Hoffman & Schlyter      Expires September 1, 2012              [Page 30]

Internet-Draft           DNS-Based Auth for TLS            February 2012


   1 1 8755CDAA8FE24EF16CC0F2C918063185E433FAAF1415664911
       D9E30A924138C4

   1 2 D43165B4CDF8F8660AECCCC5344D9D9AE45FFD7E6AAB7AB9EE
       C169B58E11F227ED90C17330CC17B5CCEF0390066008C720CEC6AAE5
       33A934B3A2D7E232C94AB4


Authors' Addresses

   Paul Hoffman
   VPN Consortium

   Email: paul.hoffman@vpnc.org


   Jakob Schlyter
   Kirei AB

   Email: jakob@kirei.se































Hoffman & Schlyter      Expires September 1, 2012              [Page 31]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/