[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 RFC 6698

Network Working Group                                         P. Hoffman
Internet-Draft                                            VPN Consortium
Intended status: Standards Track                             J. Schlyter
Expires: February 16, 2012                                      Kirei AB
                                                         August 15, 2011


  Using Secure DNS to Associate Certificates with Domain Names For TLS
                      draft-ietf-dane-protocol-10

Abstract

   TLS and DTLS use PKIX certificates for authenticating the server.
   Users want their applications to verify that the certificate provided
   by the TLS server is in fact associated with the domain name they
   expect.  TLSA provides bindings of keys to domains that are asserted
   not by external entities, but by the entities that operate the DNS.
   This document describes how to use secure DNS to associate the TLS
   server's certificate with the intended domain name.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 16, 2012.

Copyright Notice

   Copyright (c) 2011 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must



Hoffman & Schlyter      Expires February 16, 2012               [Page 1]


Internet-Draft        DNS Cert Association for TLS           August 2011


   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Certificate Associations . . . . . . . . . . . . . . . . .  3
     1.2.  Securing Certificate Associations  . . . . . . . . . . . .  4
     1.3.  Terminology  . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  The TLSA Resource Record . . . . . . . . . . . . . . . . . . .  4
     2.1.  TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . .  5
       2.1.1.  The Certificate Type Field . . . . . . . . . . . . . .  5
       2.1.2.  The Reference Type Field . . . . . . . . . . . . . . .  6
       2.1.3.  The Certificate for Association Field  . . . . . . . .  6
     2.2.  TLSA RR Presentation Format  . . . . . . . . . . . . . . .  6
     2.3.  TLSA RR Examples . . . . . . . . . . . . . . . . . . . . .  6
   3.  Domain Names for TLS Certificate Associations  . . . . . . . .  7
   4.  Semantics and Features of TLSA Certificate Types . . . . . . .  7
     4.1.  End Entity Certificate . . . . . . . . . . . . . . . . . .  7
     4.2.  Certification Authority Certificate  . . . . . . . . . . .  8
     4.3.  Certificate Public Key . . . . . . . . . . . . . . . . . .  8
     4.4.  Use of TLS Certificate Associations in TLS . . . . . . . .  8
   5.  TLSA and DANE Use Cases and Requirements . . . . . . . . . . .  9
   6.  Mandatory-to-Implement Algorithms  . . . . . . . . . . . . . . 10
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
     7.1.  TLSA RRtype  . . . . . . . . . . . . . . . . . . . . . . . 11
     7.2.  TLSA Certificate Types . . . . . . . . . . . . . . . . . . 11
     7.3.  TLSA Hash Types  . . . . . . . . . . . . . . . . . . . . . 11
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
     10.2. Informative References . . . . . . . . . . . . . . . . . . 14
   Appendix A.  Operational Considerations for Deploying TLSA
                Records . . . . . . . . . . . . . . . . . . . . . . . 14
     A.1.  Provisioning TLSA Records with Aliases . . . . . . . . . . 14
       A.1.1.  Provisioning TLSA Records with CNAME Records . . . . . 14
       A.1.2.  Provisioning TLSA Records with DNAME Records . . . . . 16
       A.1.3.  Provisioning TLSA Records with Wildcards . . . . . . . 16
     A.2.  Securing the Last Hop  . . . . . . . . . . . . . . . . . . 16
   Appendix B.  Pseudocode for Using TLSA . . . . . . . . . . . . . . 16
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18







Hoffman & Schlyter      Expires February 16, 2012               [Page 2]


Internet-Draft        DNS Cert Association for TLS           August 2011


1.  Introduction

   The first response from the server in TLS may contain a certificate.
   In order for the TLS client to authenticate that it is talking to the
   expected TLS server, the client must validate that this certificate
   is associated with the domain name used by the client to get to the
   server.  Currently, the client must extract the domain name from the
   certificate, must trust a trust anchor upon which the server's
   certificate is rooted, and must successfully validate the
   certificate.

   Some people want a different way to authenticate the association of
   the server's certificate with the intended domain name without
   trusting an external certificate authority (CA).  Given that the DNS
   administrator for a domain name is authorized to give identifying
   information about the zone, it makes sense to allow that
   administrator to also make an authoritative binding between the
   domain name and a certificate that might be used by a host at that
   domain name.  The easiest way to do this is to use the DNS.

   There are many use cases for such functionality.  [DANEUSECASES]
   lists the ones that the protocol in this document is meant to apply
   to.  [DANEUSECASES] also lists many requirements, most of which the
   protocol in this document is believed to meet.  Section 5 covers the
   applicability of this document to the use cases in detail.

   This document applies to both TLS [RFC5246] and DTLS [RFC4347bis].
   In order to make the document more readable, it mostly only talks
   about "TLS", but in all cases, it means "TLS or DTLS".  This document
   only relates to securely associating certificates for TLS and DTLS
   with host names; other security protocols and other forms of
   identification of TLS servers (such as IP addresses) are handled in
   other documents.  For example, keys for IPsec are covered in
   [RFC4025] and keys for SSH are covered in [RFC4255].

1.1.  Certificate Associations

   In this document, a certificate association is based on a
   cryptographic hash of a certificate (sometimes called a
   "fingerprint"), a public key, or on the certificate itself.  For a
   fingerprint, a hash is taken of the binary, DER-encoded certificate
   or public key, and that hash is the certificate association; the type
   of hash function used can be chosen by the DNS administrator.  When
   using the certificate itself in the certificate association, the
   entire certificate in the normal format is used.  This document only
   applies to PKIX [RFC5280] certificates, not certificates of other
   formats.  It also applies to public keys that are extracted from PKIX
   certificates, not just full certificates.



Hoffman & Schlyter      Expires February 16, 2012               [Page 3]


Internet-Draft        DNS Cert Association for TLS           August 2011


   Certificate associations are made between a certificate or public key
   and a domain name.  Server software that is running TLS that is found
   at that domain name would use a certificate that has a certificate
   association given in the DNS, as described in this document.  A DNS
   query can return multiple certificate associations, such as in the
   case of different server software on a single host using different
   certificates, or in the case that a server is changing from one
   certificate to another.

1.2.  Securing Certificate Associations

   This document defines a secure method to associate the certificate
   that is obtained from the TLS server with a domain name using DNS;
   the DNS information may need to be be protected by DNSSEC.  Because
   the certificate association was retrieved based on a DNS query, the
   domain name in the query is by definition associated with the
   certificate.

   DNSSEC, which is defined in RFCs 4033, 4034, and 4035 ([RFC4033],
   [RFC4034], and [RFC4035]), uses cryptographic keys and digital
   signatures to provide authentication of DNS data.  Information
   retrieved from the DNS and that is validated using DNSSEC is thereby
   proved to be the authoritative data.  The DNSSEC signature MUST be
   validated on all responses that use DNSSEC in order to assure the
   proof of origin of the data.  This document does not specify how
   DNSSEC validation occurs because there are many different proposals
   for how a client might get validated DNSSEC results.

   This document only relates to securely getting the DNS information
   for the certificate association using DNSSEC; other secure DNS
   mechanisms are out of scope.

1.3.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   This document also makes use of standard PKIX, DNSSEC, and TLS
   terminology.  See [RFC5280], [RFC4033], and [RFC5246] respectively,
   for these terms.  In addition, terms related to TLS-protected
   application services and DNS names are taken from [RFC6125].


2.  The TLSA Resource Record

   The TLSA DNS resource record (RR) is used to associate a certificate
   with the domain name where the record is found.  The semantics of how



Hoffman & Schlyter      Expires February 16, 2012               [Page 4]


Internet-Draft        DNS Cert Association for TLS           August 2011


   the TLSA RR is interpreted are given later in this document.

   The type value for the TLSA RR type is TBD.

   The TLSA RR is class independent.

   The TLSA RR has no special TTL requirements.

2.1.  TLSA RDATA Wire Format

   The RDATA for a TLSA RR consists of a one octet certificate type
   field, a one octet reference type field and the certificate for
   association field.

                        1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |   Cert type   |   Ref type    |                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                               /
   /                                                               /
   /                    Certificate for association                /
   /                                                               /
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

2.1.1.  The Certificate Type Field

   A one-octet value, called "certificate type", specifying the provided
   association that will be used to match the target certificate.  This
   will be an IANA registry in order to make it easier to add additional
   certificate types in the future.  The types defined in this document
   are:

      1 -- A PKIX certificate that identifies an end entity

      2 -- A PKIX certification authority's certificate

      3 -- A public key expressed as a PKIX SubjectPublicKeyInfo
      structure

   All three types are structured using the RFC 5280 formatting rules
   and use the DER encoding.

   The three certificate types defined in this document explicitly only
   apply to PKIX-formatted certificates.  If TLS allows other formats
   later, or if extensions to this protocol are made that accept other
   formats for certificates, those certificates will need their own
   certificate types.




Hoffman & Schlyter      Expires February 16, 2012               [Page 5]


Internet-Draft        DNS Cert Association for TLS           August 2011


2.1.2.  The Reference Type Field

   A one-octet value, called "reference type", specifying how the
   certificate association is presented.  This value is defined in a new
   IANA registry.  The types defined in this document are:

      0 -- Full certificate

      1 -- SHA-256 hash of the certificate

      2 -- SHA-512 hash of the certificate

   Using the same hash algorithm as is used in the signature in the
   certificate will make it more likely that the TLS client will
   understand this TLSA data.

2.1.3.  The Certificate for Association Field

   The "certificate for association".  This is the bytes containing the
   full certificate, SubjectPublicKeyInfo or the hash of the associated
   certificate or SubjectPublicKeyInfo.  For certificate types 1 and 2,
   this is the certificate or the hash of the certificate itself, not of
   the TLS ASN.1 Cert object.

2.2.  TLSA RR Presentation Format

   The presentation format of the RDATA portion is as follows:

   o  The certificate type field MUST be represented as an unsigned
      decimal integer.

   o  The reference type field MUST be represented as an unsigned
      decimal integer.

   o  The certificate for association field MUST be represented as a
      string of hexadecimal characters.  Whitespace is allowed within
      the string of hexadecimal characters.

2.3.  TLSA RR Examples

   An example of a SHA-256 hash (type 1) of an end entity certificate
   (type 1) would be:

   _443._tcp.www.example.com. IN TLSA (
      1 1 5c1502a6549c423be0a0aa9d9a16904de5ef0f5c98
          c735fcca79f09230aa7141 )

   An example of an unhashed CA certificate (type 2) would be:



Hoffman & Schlyter      Expires February 16, 2012               [Page 6]


Internet-Draft        DNS Cert Association for TLS           August 2011


   _443._tcp.www.example.com. IN TLSA (
      2 0 308202c5308201ada00302010202090... )


3.  Domain Names for TLS Certificate Associations

   TLSA resource records are stored at a prefixed DNS domain name.  The
   prefix is prepared in the following manner:

   1.  The decimal representation of the port number on which a TLS-
       based service is assumed to exist is prepended with an underscore
       character ("_") to become the left-most label in the prepared
       domain name.  This number has no leading zeros.

   2.  The protocol name of the transport on which a TLS-based service
       is assumed to exist is prepended with an underscore character
       ("_") to become the second left-most label in the prepared domain
       name.  The transport names defined for this protocol are "tcp",
       "udp" and "sctp".

   3.  The domain name is appended to the result of step 2 to complete
       the prepared domain name.

   For example, to request a TLSA resource record for an HTTP server
   running TLS on port 443 at "www.example.com", you would use
   "_443._tcp.www.example.com" in the request.  To request a TLSA
   resource record for an SMTP server running the STARTTLS protocol on
   port 25 at "mail.example.com", you would use
   "_25._tcp.mail.example.com".


4.  Semantics and Features of TLSA Certificate Types

   The three certificate types have very different semantics, but also
   have features common to all three types.

4.1.  End Entity Certificate

   Certificate type 1 (a certificate that identifies an end entity) is
   matched against the first certificate offered by the TLS server.  The
   certificate for association is used only for exact matching, not for
   chained validation.  With reference type 0, the certificate
   association is valid if the certificate in the TLSA data matches to
   the first certificate offered by TLS.  With reference types other
   than 0, the certificate association is valid if the hash of the first
   certificate offered by the TLS server matches the value from the TLSA
   data.




Hoffman & Schlyter      Expires February 16, 2012               [Page 7]


Internet-Draft        DNS Cert Association for TLS           August 2011


4.2.  Certification Authority Certificate

   Certificate type 2 (certification authority's certificate) can be
   used in one of two ways.  With reference type 0, the certificate in
   the TLSA resource record is used in chaining from the end entity
   given in TLS.  The certificate association is valid if the first
   certificate in the certificate bundle can be validly chained to the
   trust anchor from the TLSA data.  With reference types other than 0,
   if the hash of any certificate past the first in the certificate
   bundle from TLS matches the trust anchor from the TLSA data, and the
   chain in the certificate bundle is valid up to that TLSA trust
   anchor, then the certificate association is valid.  Alternately, if
   the first certificate offered chains to an existing trust anchor in
   the TLS client's trust anchor repository, and the hash of that trust
   anchor matches the value from the TLSA data, then the certificate
   association is valid.

4.3.  Certificate Public Key

   Certificate type 3 (public key expressed as a PKIX
   SubjectPublicKeyInfo structure) is used to assert that the public key
   will appear in one of the certificates received from the server.  A
   server might choose this type for many reasons, including (but not
   limited to):

   o  the trust anchor to which TLS server's certificate chains might
      change without the trust anchor's public key changing

   o  the TLS server is using a self-signed certificate that is not
      marked as a CA certificate

   A TLS client conforming to this protocol that receives a public key
   in a type 3 certificate for association must be able to extract the
   SubjectPublicKeyInfo from each of the certificates presented to it by
   the TLS server.  It then does a bit-for-bit comparison between the
   certificate for association and the SubjectPublicKeyInfos in the
   certificates; if it does not find a match, the client aborts the TLS
   handshake.

4.4.  Use of TLS Certificate Associations in TLS

   A TLS client conforming to this protocol receiving a certificate for
   association of type 1 MUST compare it for equality, using the
   specified reference type, with the end entity certificate received in
   TLS.  A TLS client conforming to this protocol receiving a
   certificate for association of type 2 MUST treat it as a trust anchor
   for that domain name.  A TLS client conforming to this protocol
   receiving a certificate for association of type 3 MUST find a



Hoffman & Schlyter      Expires February 16, 2012               [Page 8]


Internet-Draft        DNS Cert Association for TLS           August 2011


   matching SubjectPublicKeyInfo structure in one of the certificates
   offered by the TLS server.

   The end entity certificate from TLS, regardless of whether it was
   matched with a TLSA type 1 certificate or chained to a TLSA type 2 CA
   certificate, might have at least one identifier in the subject or
   subjectAltName field of the matched certificates that matches the
   expected identifier for the TLS server.  Some specifications for
   applications that run under TLS, such as [RFC2818] for HTTP, require
   the server's certificate to have a domain name that matches the host
   name expected by the client.  Further, the TLS session that is to be
   set up MUST be for the specific port number and transport name that
   was given in the TLSA query.  The matching or chaining MUST be done
   within the life of the TTL on the TLSA record.

   In order to use one or more TLS certificate associations described in
   this document obtained from the DNS, an application MUST assure that
   the certificates were obtained using DNS protected by DNSSEC.  TLSA
   records must only be trusted if they were obtained from a trusted
   source.  This could be a localhost DNS resolver answer with the AD
   bit set, an inline validating resolver library primed with the proper
   trust anchors, or obtained from a remote nameserver to which one has
   a secured channel of communication.

   If a certificate association contains a reference type that is not
   understood by the TLS client, that certificate association MUST be
   marked as unusable.

   An application that requests TLS certificate associations using the
   method described in this document obtains zero or more usable
   certificate associations.  If the application receives zero usable
   certificate associations, it processes TLS in the normal fashion.

   If a match between one of the certificate association(s) and the
   server's end entity certificate in TLS is found, the TLS client
   continues the TLS handshake.  If no match between the usable
   certificate association(s) and the server's end entity certificate in
   TLS is found, the TLS client MUST abort the handshake with an
   "access_denied" error.


5.  TLSA and DANE Use Cases and Requirements

   The different types of certificates for association defined in TLSA
   are matched with various sections of [DANEUSECASES].  The three use
   cases from section 3 of [DANEUSECASES] are covered in this protocol
   as follows:




Hoffman & Schlyter      Expires February 16, 2012               [Page 9]


Internet-Draft        DNS Cert Association for TLS           August 2011


   3.1 CA Constraints  -- Implemented using certificate type 2.  A
      hashed association is recommended for well-known certification
      authorities.

   3.2 Certificate Constraints  -- Implemented using certificate type 1.

   3.3 Domain-Issued Certificates  -- Implemented using certificate type
      1 combined with any reference type, or by using certificate type 2
      together with a full certificate association.

   The requirements from section 4 of [DANEUSECASES] are covered in this
   protocol as follows (note that some of these might be excessively
   glib):

   Multiple Ports  -- Covered in the TLSA request syntax.

   No Downgrade  -- Covered by DNSSEC itself.

   Encapsulation  -- Covered in the TLSA response semantics.

   Predictability  -- Covered by this spec.

   Opportunistic Security  -- Covered in the TLSA request syntax.

   Combination  -- Covered in the TLSA response semantics.

   Roll-over  -- Covered by the TTLs on the TLSA records.

   Simple Key Management  -- Implemented using Certificate Type 3.

   Minimal Dependencies  -- Covered in the TLSA response semantics.

   Minimal Options  -- Covered in the TLSA response semantics.

   Wild Cards  -- Covered in the TLSA request syntax; see Appendix A.

   Redirection  -- Covered in the TLSA request syntax; see Appendix A.


6.  Mandatory-to-Implement Algorithms

   DNS systems conforming to this specification MUST be able to create
   TLSA records containing certificate types 1 and 2.  DNS systems
   conforming to this specification MUST be able to create TLSA records
   using reference type 0 (no hash used) and reference type 1 (SHA-256),
   and SHOULD be able to create TLSA records using reference type 2
   (SHA-512).




Hoffman & Schlyter      Expires February 16, 2012              [Page 10]


Internet-Draft        DNS Cert Association for TLS           August 2011


   TLS clients conforming to this specification MUST be able to
   correctly interpret TLSA records containing certificate types 1, 2
   and 3.  TLS clients conforming to this specification MUST be able to
   compare a certificate for association with a certificate from TLS
   using reference type 0 (no hash used) and reference type 1 (SHA-256),
   and SHOULD be able to make such comparisons with reference type 2
   (SHA-512).

   At the time this is written, it is expected that there will be a new
   family of hash algorithms called SHA-3 within the next few years.  It
   is expected that some of the SHA-3 algorithms will be mandatory
   and/or recommended for TLSA records after the algorithms are fully
   defined.  At that time, this specification will be updated.


7.  IANA Considerations

7.1.  TLSA RRtype

   This document uses a new DNS RR type, TLSA, whose value is TBD.  A
   separate request for the RR type will be submitted to the expert
   reviewer, and future versions of this document will have that value
   instead of TBD.

7.2.  TLSA Certificate Types

   This document creates a new registry, "Certificate Types for TLSA
   Resource Records".  The registry policy is "RFC Required".  The
   initial entries in the registry are:

   Value    Short description                       Reference
   ----------------------------------------------------------
   0        Reserved                                [This]
   1        Certificate to identify an end entity   [This]
   2        CA's certificate                        [This]
   3        Public key as SubjectPublicKeyInfo      [This]
   4-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.

7.3.  TLSA Hash Types

   This document creates a new registry, "Hash Types for TLSA Resource
   Records".  The registry policy is "Specification Required".  The
   initial entries in the registry are:




Hoffman & Schlyter      Expires February 16, 2012              [Page 11]


Internet-Draft        DNS Cert Association for TLS           August 2011


   Value    Short description    Reference
   ---------------------------------------------
   0        No hash used         [This]
   1        SHA-256              NIST FIPS 180-3
   2        SHA-512              NIST FIPS 180-3
   3-254    Unassigned
   255      Private use

   Applications to the registry can request specific values that have
   yet to be assigned.


8.  Security Considerations

   The security of the protocols described in this document relies on
   the security of DNSSEC as used by the client requesting A/AAAA and
   TLSA records.

   A DNS administrator who goes rogue and changes both the A/AAAA and
   TLSA records for a domain name can cause the user to go to an
   unauthorized server that will appear authorized, unless the client
   performs certificate validation and rejects the certificate.  That
   administrator could probably get a certificate issued anyway, so this
   is not an additional threat.

   If the authentication mechanism for adding or changing TLSA data in a
   zone is weaker than the authentication mechanism for changing the
   A/AAAA records, a man-in-the-middle who can redirect traffic to their
   site may be able to impersonate the attacked host in TLS if they can
   use the weaker authentication mechanism.  A better design for
   authenticating DNS would be to have the same level of authentication
   used for all DNS additions and changes for a particular host.

   SSL proxies can sometimes act as a man-in-the-middle for TLS clients.
   In these scenarios, the clients add a new trust anchor whose private
   key is kept on the SSL proxy; the proxy intercepts TLS requests,
   creates a new TLS session with the intended host, and sets up a TLS
   session with the client using a certificate that chains to the trust
   anchor installed in the client by the proxy.  In such environments,
   the TLSA protocol will prevent the SSL proxy from functioning as
   expected because the TLS client will get a certificate association
   from the DNS that will not match the certificate that the SSL proxy
   uses with the client.  The client, seeing the proxy's new certificate
   for the supposed destination will not set up a TLS session.  Thus,
   such proxies might choose to aggressively block TLSA requests and/or
   responses.

   Client treatment of any information included in the trust anchor is a



Hoffman & Schlyter      Expires February 16, 2012              [Page 12]


Internet-Draft        DNS Cert Association for TLS           August 2011


   matter of local policy.  This specification does not mandate that
   such information be inspected or validated by the domain name
   administrator.


9.  Acknowledgements

   Many of the ideas in this document have been discussed over many
   years.  More recently, the ideas have been discussed by the authors
   and others in a more focused fashion.  In particular, some of the
   ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
   Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben
   Laurie, Ilari Liusvaara, Scott Schmit, and Ondrej Sury.

   This document has also been greatly helped by many active
   participants of the DANE Working Group.


10.  References

10.1.  Normative References

   [DANEUSECASES]
              Barnes, R., "Use Cases and Requirements for DNS-based
              Authentication of Named Entities (DANE)",
              draft-ietf-dane-use-cases (work in progress), 2011.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements",
              RFC 4033, March 2005.

   [RFC4034]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Resource Records for the DNS Security Extensions",
              RFC 4034, March 2005.

   [RFC4035]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "Protocol Modifications for the DNS Security
              Extensions", RFC 4035, March 2005.

   [RFC4347bis]
              Rescorla, E. and N. Modadugu, "Datagram Transport Layer
              Security version 1.2", draft-ietf-tls-rfc4347-bis (work in
              progress), July 2010.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security



Hoffman & Schlyter      Expires February 16, 2012              [Page 13]


Internet-Draft        DNS Cert Association for TLS           August 2011


              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

10.2.  Informative References

   [RFC2782]  Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
              specifying the location of services (DNS SRV)", RFC 2782,
              February 2000.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC4025]  Richardson, M., "A Method for Storing IPsec Keying
              Material in DNS", RFC 4025, March 2005.

   [RFC4255]  Schlyter, J. and W. Griffin, "Using DNS to Securely
              Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
              January 2006.


Appendix A.  Operational Considerations for Deploying TLSA Records

A.1.  Provisioning TLSA Records with Aliases

   The TLSA resource record is not special in the DNS; it acts exactly
   like any other RRtype where the queried name has one or more labels
   prefixed to the base name, such as the SRV RRtype [RFC2782].  This
   affects the way that the TLSA resource record is used when aliasing
   in the DNS.

   Note that the IETF sometimes adds new types of aliasing in the DNS.
   If that happens in the future, those aliases might affect TLSA
   records, hopefully in a good way.

A.1.1.  Provisioning TLSA Records with CNAME Records

   Using CNAME to alias in DNS only aliases from the exact name given,
   not any zones below the given name.  For example, assume that a zone
   file has only the following:



Hoffman & Schlyter      Expires February 16, 2012              [Page 14]


Internet-Draft        DNS Cert Association for TLS           August 2011


   sub1.example.com.          IN CNAME sub2.example.com.

   In this case, a request for the A record at "bottom.sub1.example.com"
   would not return any records because the CNAME given only aliases the
   name given.  Assume, instead, the zone file has the following:

   sub3.example.com.          IN CNAME sub4.example.com.
   bottom.sub3.example.com.   IN CNAME bottom.sub4.example.com.

   In this case, a request for the A record at bottom.sub3.example.com
   would in fact return whatever value for the A record exists at
   bottom.sub4.example.com.

   Application implementations and full-service resolvers request DNS
   records using libraries that automatically follow CNAME (and DNAME)
   aliasing.  This allows hosts to put TLSA records in their own zones
   or to use CNAME to do redirection.

   If the owner of the original domain wants a TLSA record for the same,
   they simply enter it under the defined prefix:

   ; No TLSA record in target domain
   ;
   sub5.example.com.           IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com. IN TLSA 2 0 308202c5308201ab...
   sub6.example.com.           IN A 10.0.0.0

   If the owner of the orginal domain wants to have the target domain
   host the TLSA record, the original domain uses a CNAME record:

   ; TLSA record for original domain has CNAME to target domain
   ;
   sub5.example.com.           IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com. IN CNAME _443._tcp.sub6.example.com.
   sub6.example.com.           IN A 10.0.0.0
   _443._tcp.sub6.example.com. IN TLSA 1 1 536a570ac49d9ba4...

   Note that it is acceptable for both the original domain and the
   target domain to have TLSA records, but the two records are
   unrelated.  Consider the following:

   ; TLSA record in both the original and target domain
   ;
   sub5.example.com.           IN CNAME sub6.example.com.
   _443._tcp.sub5.example.com. IN TLSA 2 0 308202c5308201ab...
   sub6.example.com.           IN A 10.0.0.0
   _443._tcp.sub6.example.com. IN TLSA 2 0 ac49d9ba4570ac49...




Hoffman & Schlyter      Expires February 16, 2012              [Page 15]


Internet-Draft        DNS Cert Association for TLS           August 2011


   In this example, someone looking for the TLSA record for
   sub5.example.com would always get the record whose value starts
   "308202c5308201ab"; the TLSA record whose value starts
   "ac49d9ba4570ac49" would only be sought by someone who is looking for
   the TLSA record for sub6.example.com, and never for sub5.example.com.

   Note that these methods use the normal method for DNS aliasing using
   CNAME: the DNS client requests the record type that they actually
   want.

A.1.2.  Provisioning TLSA Records with DNAME Records

   Using DNAME records allows a zone owner to alias an entire subtree of
   names below the name that has the DNAME.  This allows the wholesale
   aliasing of prefixed records such as those used by TLSA, SRV, and so
   on without aliasing the name itself.  However, because DNAME can only
   be used for subtrees of a base name, it is rarely used to alias
   individual hosts that might also be running TLS.

A.1.3.  Provisioning TLSA Records with Wildcards

   Wildcards are generally not terribly useful for RRtypes that require
   prefixing because you can only wildcard at a layer below the host
   name.  For example, if you want to have the same TLSA record for
   every TCP port for www.example.com, you might have

   *._tcp.www.example.com.    IN TLSA 1 1 5c1502a6549c423b...

   This is possibly useful in some scenarios where the same service is
   offered on many ports.

A.2.  Securing the Last Hop

   [[ Need to add text here about the various ways that a client who is
   pulling in TLSA records can be sure that they are protected by
   DNSSEC. ]]


Appendix B.  Pseudocode for Using TLSA

   [[ IMPORTANT NOTE FOR THE DANE WG: Please review this new appendix
   carefully.  If you find differences between what is here and what is
   in the rest of the draft, by all means please send it to the WG
   mailing list.  The ensuing discussion will hopefully help everyone.
   ]]

   This appendix describes the interactions given earlier in this
   specification in pseudocode format.  This appendix is non-normative.



Hoffman & Schlyter      Expires February 16, 2012              [Page 16]


Internet-Draft        DNS Cert Association for TLS           August 2011


   If the steps below disagree with the text earlier in the document,
   the steps earlier in the document should be considered correct and
   this text incorrect.

   TLS connect using [transport] to [hostname] on [port] and
   receiving end entity cert C for the TLS server:

   look up TLSA for _[port]._[transport].[hostname]

   if (no secure TLSA record(s) received) {
     fall back to "normal" cert validation
   }

   for each TLSA record R received {

     // a PKIX certificate that identifies an end entity
     if (R.certType == 1) {
       if (R.referenceType == 0) AND (C == R.certAssoc) {
         accept the TLS connection
       } else if (hash(R.referenceType of C) == R.certAssoc) {
         accept the TLS connection
       } else {
         continue outer loop
       }
     }

     // a PKIX certification authority's certificate
     if (R.certType == 2) {
       if (R.referenceType == 0) {
         if (PKIX validation with R.certAssoc as the only TA succeeds) {
           accept the TLS connection
         } else {
           continue outer loop
         }
       } else {
         if (PKIX validation with existing TAs succeeds) {
           for each cert D in path except the EE cert {
             if (hash(R.referenceType, D) == R.certAssoc) {
               accept the TLS connection
             }
           }
         }
         continue outer loop
       }
     }

     // a public key expressed as a PKIX SubjectPublicKeyInfo structure
     if (R.certType == 3) {



Hoffman & Schlyter      Expires February 16, 2012              [Page 17]


Internet-Draft        DNS Cert Association for TLS           August 2011


       if (R.referenceType == 0) AND (publicKey(C) == R.certAssoc) {
         accept the TLS connection
       } else if (hash(R.referenceType, publicKey(C)) == R.certAssoc) {
         accept the TLS connection
       } else {
         continue outer loop
       }
     }
   }

   abort TLS handshake with "access_denied" error.


Authors' Addresses

   Paul Hoffman
   VPN Consortium

   Email: paul.hoffman@vpnc.org


   Jakob Schlyter
   Kirei AB

   Email: jakob@kirei.se


























Hoffman & Schlyter      Expires February 16, 2012              [Page 18]


Html markup produced by rfcmarkup 1.129d, available from https://tools.ietf.org/tools/rfcmarkup/