draft-ietf-dane-protocol-13.txt   draft-ietf-dane-protocol-14.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Intended status: Standards Track J. Schlyter Intended status: Standards Track J. Schlyter
Expires: June 21, 2012 Kirei AB Expires: July 7, 2012 Kirei AB
December 19, 2011 January 4, 2012
Using Secure DNS to Associate Certificates with Domain Names For TLS Using Secure DNS to Associate Certificates with Domain Names For TLS
draft-ietf-dane-protocol-13 draft-ietf-dane-protocol-14
Abstract Abstract
TLS and DTLS use PKIX certificates for authenticating the server. TLS and DTLS use PKIX certificates for authenticating the server.
Users want their applications to verify that the certificate provided Users want their applications to verify that the certificate provided
by the TLS server is in fact associated with the domain name they by the TLS server is in fact associated with the domain name they
expect. TLSA provides bindings of keys to domains that are asserted expect. TLSA provides bindings of keys to domains that are asserted
not by external entities, but by the entities that operate the DNS. not by external entities, but by the entities that operate the DNS.
This document describes how to use secure DNS to associate the TLS This document describes how to use secure DNS to associate the TLS
server's certificate with the intended domain name. server's certificate with the intended domain name.
skipping to change at page 1, line 37 skipping to change at page 1, line 37
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 21, 2012. This Internet-Draft will expire on July 7, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Certificate Associations . . . . . . . . . . . . . . . . . 3 1.1. Certificate Associations . . . . . . . . . . . . . . . . . 4
1.2. Securing Certificate Associations . . . . . . . . . . . . 4 1.2. Securing Certificate Associations . . . . . . . . . . . . 5
1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.3. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 4 2. The TLSA Resource Record . . . . . . . . . . . . . . . . . . . 5
2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 5 2.1. TLSA RDATA Wire Format . . . . . . . . . . . . . . . . . . 6
2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 5 2.1.1. The Certificate Usage Field . . . . . . . . . . . . . 6
2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 5 2.1.2. The Selector Field . . . . . . . . . . . . . . . . . . 6
2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 6 2.1.3. The Matching Type Field . . . . . . . . . . . . . . . 7
2.1.4. The Certificate for Association Field . . . . . . . . 6 2.1.4. The Certificate for Association Field . . . . . . . . 7
2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 6 2.2. TLSA RR Presentation Format . . . . . . . . . . . . . . . 7
2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 7 2.3. TLSA RR Examples . . . . . . . . . . . . . . . . . . . . . 8
3. Domain Names for TLS Certificate Associations . . . . . . . . 7 3. Domain Names for TLS Certificate Associations . . . . . . . . 8
4. Semantics and Features of TLSA Certificate Usages . . . . . . 8 4. Semantics and Features of TLSA Certificate Usages . . . . . . 9
4.1. Pass PKIX Validation and Chain Through CA . . . . . . . . 8 4.1. Pass PKIX Validation and Chain Through CA . . . . . . . . 9
4.2. Pass PKIX Validation and Match End Entity Certificate . . 8 4.2. Pass PKIX Validation and Match End Entity Certificate . . 9
4.3. Pass PKIX Validation and Use Trust Anchor . . . . . . . . 8 4.3. Pass PKIX Validation and Use Trust Anchor . . . . . . . . 9
4.4. Use of TLS Certificate Associations in TLS . . . . . . . . 8 4.4. Use of TLS Certificate Associations in TLS . . . . . . . . 9
5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 9 5. TLSA and DANE Use Cases and Requirements . . . . . . . . . . . 10
6. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 10 6. Mandatory-to-Implement Algorithms . . . . . . . . . . . . . . 11
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 11 7.1. TLSA RRtype . . . . . . . . . . . . . . . . . . . . . . . 12
7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 11 7.2. TLSA Usages . . . . . . . . . . . . . . . . . . . . . . . 12
7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 11 7.3. TLSA Selectors . . . . . . . . . . . . . . . . . . . . . . 13
7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 12 7.4. TLSA Matching Types . . . . . . . . . . . . . . . . . . . 13
8. Security Considerations . . . . . . . . . . . . . . . . . . . 12 8. Security Considerations . . . . . . . . . . . . . . . . . . . 13
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 15
10.2. Informative References . . . . . . . . . . . . . . . . . . 14 10.2. Informative References . . . . . . . . . . . . . . . . . . 15
Appendix A. Operational Considerations for Deploying TLSA Appendix A. Operational Considerations for Deploying TLSA
Records . . . . . . . . . . . . . . . . . . . . . . . 15 Records . . . . . . . . . . . . . . . . . . . . . . . 16
A.1. Provisioning TLSA Records with Aliases . . . . . . . . . . 15 A.1. Creating TLSA Records . . . . . . . . . . . . . . . . . . 16
A.1.1. Provisioning TLSA Records with CNAME Records . . . . . 15 A.1.1. Ambiguities and Corner Cases When TLS Clients
A.1.2. Provisioning TLSA Records with DNAME Records . . . . . 17 Build Trust Chains . . . . . . . . . . . . . . . . . . 16
A.1.3. Provisioning TLSA Records with Wildcards . . . . . . . 17 A.1.2. Choosing a Selector Type . . . . . . . . . . . . . . . 17
A.2. Provisioning Using NS Records . . . . . . . . . . . . . . 17 A.2. Provisioning TLSA Records in DNS . . . . . . . . . . . . . 18
A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 17 A.2.1. Provisioning TLSA Records with Aliases . . . . . . . . 18
A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 17 A.2.2. Provisioning with NS Records . . . . . . . . . . . . . 21
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 18 A.3. Securing the Last Hop . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 A.4. Handling Certificate Rollover . . . . . . . . . . . . . . 21
Appendix B. Pseudocode for Using TLSA . . . . . . . . . . . . . . 21
B.1. Helper Functions . . . . . . . . . . . . . . . . . . . . . 21
B.2. Main TLSA Pseudo Code . . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
1. Introduction 1. Introduction
The first response from the server in TLS may contain a certificate. The first response from the server in TLS may contain a certificate.
In order for the TLS client to authenticate that it is talking to the In order for the TLS client to authenticate that it is talking to the
expected TLS server, the client must validate that this certificate expected TLS server, the client must validate that this certificate
is associated with the domain name used by the client to get to the is associated with the domain name used by the client to get to the
server. Currently, the client must extract the domain name from the server. Currently, the client must extract the domain name from the
certificate, must trust a trust anchor upon which the server's certificate, must trust a trust anchor upon which the server's
certificate is rooted, and must successfully validate the certificate is rooted, and must successfully validate the
skipping to change at page 9, line 26 skipping to change at page 10, line 26
secure TLSA RRset. secure TLSA RRset.
o If the DNSSEC validation state on the response to the request for o If the DNSSEC validation state on the response to the request for
the TLSA RRset is bogus, this MUST cause TLS not to be started or, the TLSA RRset is bogus, this MUST cause TLS not to be started or,
if the TLS negotiation is already in progress, to cause the if the TLS negotiation is already in progress, to cause the
connection to be aborted. connection to be aborted.
o A TLSA RRset whose DNSSEC validation state is indeterminate or o A TLSA RRset whose DNSSEC validation state is indeterminate or
insecure cannot be used for TLS and MUST be marked as unusable. insecure cannot be used for TLS and MUST be marked as unusable.
Clients that validate the DNSSEC signatures themselves SHOULD use If an application receives zero usable certificate associations, it
standard DNSSEC validation procedures. Clients that do not validate processes TLS in the normal fashion without any input from the TLSA
the DNSSEC signatures themselves MUST use a secure transport (e.g., records; otherwise, that application attempts to match each
TSIG [RFC2845], SIG(0) [RFC2931], or IPsec [RFC6071]) between certificate association with the TLS server's end entity certificate.
themselves and the entity performing the signature validation.
Clients that validate the DNSSEC signatures themselves MUST either
use standard DNSSEC validation procedures or a secure transport (such
as TSIG [RFC2845], SIG(0) [RFC2931], or IPsec [RFC6071]) between
themselves and the entity performing the DNSSEC signature validation.
Note that it is not sufficient to use secure transport to a DNS
resolver that does not do DNSSEC signature validation.
If a certificate association contains a certificate usage, selector, If a certificate association contains a certificate usage, selector,
or matching type that is not understood by the TLS client, that or matching type that is not understood by the TLS client, that
certificate association MUST be marked as unusable. If the certificate association MUST be marked as unusable. If the
comparison data for a certificate is malformed, the certificate comparison data for a certificate is malformed, the certificate
association MUST be marked as unusable. association MUST be marked as unusable.
5. TLSA and DANE Use Cases and Requirements 5. TLSA and DANE Use Cases and Requirements
The different types of certificates for association defined in TLSA The different types of certificates for association defined in TLSA
skipping to change at page 13, line 38 skipping to change at page 14, line 44
certificate used in TLSA records with a certificate type of 2 are in certificate used in TLSA records with a certificate type of 2 are in
fact able to be used as reliable trust anchors. fact able to be used as reliable trust anchors.
9. Acknowledgements 9. Acknowledgements
Many of the ideas in this document have been discussed over many Many of the ideas in this document have been discussed over many
years. More recently, the ideas have been discussed by the authors years. More recently, the ideas have been discussed by the authors
and others in a more focused fashion. In particular, some of the and others in a more focused fashion. In particular, some of the
ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges, ideas here originated with Paul Vixie, Dan Kaminsky, Jeff Hodges,
Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben Phill Hallam-Baker, Simon Josefsson, Warren Kumari, Adam Langley, Ben
Laurie, Ilari Liusvaara, Scott Schmit, Ondrej Sury, Richard Barnes, Laurie, Ilari Liusvaara, Ondrej Mikle, Scott Schmit, Ondrej Sury,
and Jim Schaad. Richard Barnes, Jim Schaad, and Stephen Farrell.
This document has also been greatly helped by many active This document has also been greatly helped by many active
participants of the DANE Working Group. participants of the DANE Working Group.
10. References 10. References
10.1. Normative References 10.1. Normative References
[DANEUSECASES] [DANEUSECASES]
Barnes, R., "Use Cases and Requirements for DNS-based Barnes, R., "Use Cases and Requirements for DNS-based
skipping to change at page 15, line 21 skipping to change at page 16, line 27
[RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely [RFC4255] Schlyter, J. and W. Griffin, "Using DNS to Securely
Publish Secure Shell (SSH) Key Fingerprints", RFC 4255, Publish Secure Shell (SSH) Key Fingerprints", RFC 4255,
January 2006. January 2006.
[RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and [RFC6071] Frankel, S. and S. Krishnan, "IP Security (IPsec) and
Internet Key Exchange (IKE) Document Roadmap", RFC 6071, Internet Key Exchange (IKE) Document Roadmap", RFC 6071,
February 2011. February 2011.
Appendix A. Operational Considerations for Deploying TLSA Records Appendix A. Operational Considerations for Deploying TLSA Records
A.1. Provisioning TLSA Records with Aliases A.1. Creating TLSA Records
When creating TLSA records with certificate usage type 0 or 2, care
needs to be taken when choosing between selector type 0 (full
certificate) and 1 (SubjectPublicKeyInfo) because of the algorithms
that various TLS clients employ to build their trust-chain. The
following outlines some important cases and discusses implications of
the choice of selector type.
Note that certificate usage 2 is not affected by this discussion if
the association is made to an end entity certificate.
A.1.1. Ambiguities and Corner Cases When TLS Clients Build Trust Chains
TLS clients are known to implement methods that may cause any
certificate (except the end entity certificate in the original
certificate chain sent by server) to be exchanged or removed from the
trust chain when client builds trust chain.
Certificates the client can use to replace certificates from original
chain include:
o Client's trust anchors
o Certificates cached locally
o Certificates retrieved from a URI listed in an Authority
Information Access X.509v3 extension
CAs frequently reissue certificates with a different validity period,
a hash in the signature algorithm or PKIX extensions; only the public
key, issuer and subject remain intact. Thes reissued certificates
are certificates that the TLS client can use in place of original
certificate.
Clients are known to exchange or remove certificates that could cause
TLSA association that rely on the full certificate to fail. For
example:
o The client considers the hash in signature algorithm of a
certificate no longer sufficiently secure
o A cross-certificate issued to CA2 by CA1 is represented by a self-
signed root certificate of CA2 as a trust anchor in client's trust
store
o A CA certificate above the cross-certificate in original chain may
be removed from the chain because the client found a trust anchor
below that CA certificate
A.1.2. Choosing a Selector Type
A.1.2.1. Selector Type 0
The "Full certificate" selector provides most precise specification
of a trust anchor. Such non-ambiguity foils a class of hypothetical
future attacks on a CA where the CA issues new certificate with an
identical SubjectPublicKeyInfo, but a different issuer, subject, or
extensions that would allow redirection of a trust chain. This "Full
certificate" selector would also foil bad practices or negligence of
a CA if the CA uses the same key for unrelated CA certificates.
For a DNS administrator, the best course to avoid false-positive
failures at client's side when using this selector is:
o Do not associate to CA certificates that have a signature
algorithm with hash that is considered weak if that CA has issued
a replacement certificate.
o Determine how common client applications process the TLSA
association using a fresh client installation, that is, with the
local certificate cache empty.
A.1.2.2. Selector Type 1
A SubjectPublicKeyInfo selector gives greater flexibility in avoiding
many false-positive failures caused by trust-chain-building
algorithms used in many clients.
One specific use-case should be noted: creating a TLSA association to
certificate I1 that directly signed end entity certificate S1 of the
server. Because the key used to sign S1 is fixed, the association to
I1 must succeed: if the client swaps I1 for I2 (a different
certificate), I2's SubjectPublicKeyInfo must match the
SubjectPublicKeyInfo of I1. Such association would not suffer from
false-positive failure on the client if the client uses a reissued CA
certificate I2 in place of I1.
The attack surface is a bit broader compared to "full certificate"
selector:
o The administrator must know or trust the CA not to engage in bad
practices, such as not sharing key of I1 for unrelated CA
certificates leading to trust-chain redirect
o The administrator should understand whether some PKIX extension
may adversely affect security of the association. If possible,
administrators should review all CA certificates that share the
SubjectPublicKeyInfo.
Using the SubjectPublicKeyInfo selector for association with a
certificate in a chain above I1 needs to be decided on a case-by-case
basis: there are too many possibilities based on the issuing CA's
practices. Unless the full implications of such an association are
understood by the administrator, using selector type 0 is a better
option from a security perspective.
In practice, sharing keys in differently-purposed CA certificates is
rare, but certainly happens sometimes. An attack on an association
by SubjectPublicKeyInfo would require either gross negligence on the
part of the CA or an attacker gaining control of CA.
A.2. Provisioning TLSA Records in DNS
A.2.1. Provisioning TLSA Records with Aliases
The TLSA resource record is not special in the DNS; it acts exactly The TLSA resource record is not special in the DNS; it acts exactly
like any other RRtype where the queried name has one or more labels like any other RRtype where the queried name has one or more labels
prefixed to the base name, such as the SRV RRtype [RFC2782]. This prefixed to the base name, such as the SRV RRtype [RFC2782]. This
affects the way that the TLSA resource record is used when aliasing affects the way that the TLSA resource record is used when aliasing
in the DNS. in the DNS.
Note that the IETF sometimes adds new types of aliasing in the DNS. Note that the IETF sometimes adds new types of aliasing in the DNS.
If that happens in the future, those aliases might affect TLSA If that happens in the future, those aliases might affect TLSA
records, hopefully in a good way. records, hopefully in a good way.
A.1.1. Provisioning TLSA Records with CNAME Records A.2.1.1. Provisioning TLSA Records with CNAME Records
Using CNAME to alias in DNS only aliases from the exact name given, Using CNAME to alias in DNS only aliases from the exact name given,
not any zones below the given name. For example, assume that a zone not any zones below the given name. For example, assume that a zone
file has only the following: file has only the following:
sub1.example.com. IN CNAME sub2.example.com. sub1.example.com. IN CNAME sub2.example.com.
In this case, a request for the A record at "bottom.sub1.example.com" In this case, a request for the A record at "bottom.sub1.example.com"
would not return any records because the CNAME given only aliases the would not return any records because the CNAME given only aliases the
name given. Assume, instead, the zone file has the following: name given. Assume, instead, the zone file has the following:
skipping to change at page 17, line 5 skipping to change at page 20, line 24
In this example, someone looking for the TLSA record for In this example, someone looking for the TLSA record for
sub5.example.com would always get the record whose value starts sub5.example.com would always get the record whose value starts
"308202c5308201ab"; the TLSA record whose value starts "308202c5308201ab"; the TLSA record whose value starts
"ac49d9ba4570ac49" would only be sought by someone who is looking for "ac49d9ba4570ac49" would only be sought by someone who is looking for
the TLSA record for sub6.example.com, and never for sub5.example.com. the TLSA record for sub6.example.com, and never for sub5.example.com.
Note that these methods use the normal method for DNS aliasing using Note that these methods use the normal method for DNS aliasing using
CNAME: the DNS client requests the record type that they actually CNAME: the DNS client requests the record type that they actually
want. want.
A.1.2. Provisioning TLSA Records with DNAME Records A.2.1.2. Provisioning TLSA Records with DNAME Records
Using DNAME records allows a zone owner to alias an entire subtree of Using DNAME records allows a zone owner to alias an entire subtree of
names below the name that has the DNAME. This allows the wholesale names below the name that has the DNAME. This allows the wholesale
aliasing of prefixed records such as those used by TLSA, SRV, and so aliasing of prefixed records such as those used by TLSA, SRV, and so
on without aliasing the name itself. However, because DNAME can only on without aliasing the name itself. However, because DNAME can only
be used for subtrees of a base name, it is rarely used to alias be used for subtrees of a base name, it is rarely used to alias
individual hosts that might also be running TLS. individual hosts that might also be running TLS.
; TLSA record in target domain, visible in original domain via DNAME ; TLSA record in target domain, visible in original domain via DNAME
; ;
sub5.example.com. IN CNAME sub6.example.com. sub5.example.com. IN CNAME sub6.example.com.
_tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com. _tcp.sub5.example.com. IN DNAME _tcp.sub6.example.com.
sub6.example.com. IN A 10.0.0.0 sub6.example.com. IN A 10.0.0.0
_443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4... _443._tcp.sub6.example.com. IN TLSA 1 1 1 536a570ac49d9ba4...
A.1.3. Provisioning TLSA Records with Wildcards A.2.1.3. Provisioning TLSA Records with Wildcards
Wildcards are generally not terribly useful for RRtypes that require Wildcards are generally not terribly useful for RRtypes that require
prefixing because you can only wildcard at a layer below the host prefixing because you can only wildcard at a layer below the host
name. For example, if you want to have the same TLSA record for name. For example, if you want to have the same TLSA record for
every TCP port for www.example.com, you might have every TCP port for www.example.com, you might have
*._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b... *._tcp.www.example.com. IN TLSA 1 1 1 5c1502a6549c423b...
This is possibly useful in some scenarios where the same service is This is possibly useful in some scenarios where the same service is
offered on many ports. offered on many ports.
A.2. Provisioning Using NS Records A.2.2. Provisioning with NS Records
[[ This was proposed, and questioned, and not yet followed through [[ This was proposed, and questioned, and not yet followed through
on. ]] on. ]]
A.3. Securing the Last Hop A.3. Securing the Last Hop
[[ Need to add text here about the various ways that a client who is [[ Need to add text here about the various ways that a client who is
pulling in TLSA records can be sure that they are protected by pulling in TLSA records can be sure that they are protected by
DNSSEC. ]] DNSSEC. ]]
skipping to change at page 18, line 13 skipping to change at page 21, line 31
the TLS server. ]] the TLS server. ]]
Appendix B. Pseudocode for Using TLSA Appendix B. Pseudocode for Using TLSA
This appendix describes the interactions given earlier in this This appendix describes the interactions given earlier in this
specification in pseudocode format. This appendix is non-normative. specification in pseudocode format. This appendix is non-normative.
If the steps below disagree with the text earlier in the document, If the steps below disagree with the text earlier in the document,
the steps earlier in the document should be considered correct and the steps earlier in the document should be considered correct and
this text incorrect. this text incorrect.
TLS connect using [transport] to [hostname] on [port] and B.1. Helper Functions
receiving end entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup( // implement the function for exiting
name=_[port]._[transport].[hostname], RRtype=TLSA, class=IN) function Finish (F) = {
if (F == 0) {
abort the TLS handshake or prevent TLS from starting
exit
}
// check for states that would change processing if (F == 1) {
if (ValState == BOGUS) { fall back to non-TLSA certificate validation
abort or prevent TLS handshake exit
} }
if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
fall back to non-TLSA certificate validation if (F == 2) {
} accept the TLS connection
// if here, ValState must be SECURE exit
}
// unreachable
for each R in TLSArecords {
// unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, and erroneous RDATA
if R is unusable, remove it from TLSArecords
}
if (length(TLSArecords) == 0) {
fall back to non-TLSA certificate validation
} }
// implement the selector function // implement the selector function
function Select(S, X) = { function Select (S, X) = {
// Full certificate
if (S == 0) { if (S == 0) {
return X return X
} }
// SubjectPublicKeyInfo
if (S == 1) { if (S == 1) {
return X.SubjectPublicKey return X.SubjectPublicKeyInfo
} }
return undef return undef
} }
// implement the matching function // implement the matching function
function Match(M, X, Y) { function Match (M, X, Y) {
// Exact match on selected content
if (M == 0) { if (M == 0) {
return (X == Y) return (X == Y)
} }
// SHA-256 hash of selected content
if (M == 1) { if (M == 1) {
return (SHA-256(X) == Y) return (SHA-256(X) == Y)
} }
// SHA-512 hash of selected content
if (M == 2) { if (M == 2) {
return (SHA-512(X) == Y) return (SHA-512(X) == Y)
} }
return undef return undef
} }
B.2. Main TLSA Pseudo Code
TLS connect using [transport] to [name] on [port] and receiving end
entity cert C for the TLS server:
(TLSArecords, ValState) = DNSSECValidatedLookup(
domainname=_[port]._[transport].[name], RRtype=TLSA, class=IN)
// check for states that would change processing
if (ValState == BOGUS) {
Finish(0)
}
if ((ValState == INDETERMINATE) or (ValState == INSECURE)) {
Finish(1)
}
// if here, ValState must be SECURE
for each R in TLSArecords {
// unusable records include unknown certUsage, unknown
// selectorType, unknown matchingType, and erroneous RDATA
if (R is unusable) remove it from TLSArecords
}
if (length(TLSArecords) == 0) {
Finish(1)
}
// A TLS client might have multiple trust anchors that it might use // A TLS client might have multiple trust anchors that it might use
// when validating the TLS server's end entity certificate. Also, // when validating the TLS server's end entity certificate. Also,
// there can be multiple PKIX validation chains for the // there can be multiple PKIX validation chains for the
// certificates given by the server in TLS. Thus, there are // certificates given by the server in TLS. Thus, there are
// possibly many chains that might need to be tested during // possibly many chains that might need to be tested during
// PKIX validation. // PKIX validation.
for each R in TLSArecords { for each R in TLSArecords {
// pass PKIX validation and chain through CA cert from TLSA // pass PKIX validation and chain through CA cert from TLSA
if (R.certUsage == 0) { if (R.certUsage == 0) {
for each PKIX validation chain H { for each PKIX validation chain H {
if (C passes PKIX validation in H) { if (C passes PKIX validation in H) {
for each D in H { for each D in H {
if (D is a CA certificate) and if (D is a CA certificate) and
Match(matchingType, Select(selectorType, D), R) { Match(matchingType, Select(selectorType, D), R) {
accept the TLS connection Finish(2)
} }
} }
} }
} }
// pass PKIX validation and match EE cert from TLSA // pass PKIX validation and match EE cert from TLSA
if (R.certUsage == 1) { if (R.certUsage == 1) {
for each PKIX validation chain H { for each PKIX validation chain H {
if (C passes PKIX validation in H) { if (C passes PKIX validation in H) {
if (Match(matchingType, Select(selectorType, C), R)) { if (Match(matchingType, Select(selectorType, C), R)) {
accept the TLS connection Finish(2)
} }
} }
} }
} }
// pass PKIX validation using TLSA record as trust anchor // pass PKIX validation using TLSA record as trust anchor
if (R.certUsage == 2) { if (R.certUsage == 2) {
for each PKIX validation chain H that has R as the trust anchor { for each PKIX validation chain H that has R as the trust anchor {
if (C passes PKIX validation in H) { if (C passes PKIX validation in H) {
accept the TLS connection Finish(2)
} }
} }
} }
} }
// if here, the TLS connection was not accepted above // if here, the none of the TLSA records was sufficient for TLS
abort or prevent TLS handshake Finish(0)
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
Jakob Schlyter Jakob Schlyter
Kirei AB Kirei AB
 End of changes. 32 change blocks. 
86 lines changed or deleted 244 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/